tencent cloud


Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Last updated: 2022-06-23 11:14:27
    On August 5, 2020, Tencent Force (force.tencent.com) researched and noticed that Apache SkyWalking had a SQL injection vulnerability (CVE-2020-13921). A new version has been officially released to fix this vulnerability.
    To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers. For more information, see Affected Versions.

    Vulnerability Details

    Apache SkyWalking is an application performance monitor (APM) tool that provides automated and high-performance monitoring solutions for microservices, cloud native, and container-based applications. Its official website shows that it is being used by a large number of Chinese companies in the internet, banking, and civil aviation sectors.
    In multiple versions of SkyWalking, unauthorized GraphQL APIs are opened by default, through which attackers can construct malicious request packets for SQL injection, resulting in the leakage of sensitive information in the user database. In view of the greater impact of this vulnerability, we recommend you fix it as soon as possible.

    Risk Level

    High Risk

    Vulnerability Risk

    Through SQL injection, attackers can steal sensitive information on servers.

    Affected Versions

    Apache SkyWalking 6.0.0–6.6.0
    Apache SkyWalking 7.0.0
    Apache SkyWalking 8.0.0–8.0.1


    Apache SkyWalking 8.1.0

    Suggestions for Fix

    A new version has been officially released to fix this vulnerability. Tencent Security recommends you:
    Recommended solution: Upgrade to Apache SkyWalking 8.1.0 or later.
    Temporary mitigation: If the upgrade is temporarily impossible, as a mitigation measure, we recommend you restrain exposing the GraphQL APIs of Apache SkyWalking to the public network or add a layer of authentication on top of such APIs. -Recommendation for organizational users: Use Tencent Security services to detect and block attacks through this Apache SkyWalking SQL injection vulnerability.
    Tencent Cloud WAF supports detection of and defense against attacks through this SkyWalking SQL injection vulnerability.


    If needed, you can find more information of the vulnerability here.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support