[ZEPPELIN-3725] Possible SQL injection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.8.0
Fix Version/s: 0.11.0
Component/s: security
Labels:
- beginners
- security

Description

I was playing with Zeppelin. I found JdbcRealm implementation could result in SQL injection. I am not sure about the exploitability. Since an untrusted user need to modify the config.

vulnerable code

userquery = String.format("SELECT %s FROM %s", username, tablename);

Attachments

Issue Links

links to

GitHub Pull Request #4676

Activity

People

Assignee:: Unassigned

Reporter:: Habi Sajitha Ravi

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 16/Aug/18 11:13

Updated:: 05/Feb/24 10:14

Resolved:: 01/Nov/23 15:24