[ZEPPELIN-3725] Possible SQL injection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 0.8.0
Fix Version/s: None
Component/s: security
Labels:
- beginners
- security

Description

I was playing with Zeppelin. I found JdbcRealm implementation could result in SQL injection. I am not sure about the exploitability. Since an untrusted user need to modify the config.

vulnerable code

userquery = String.format("SELECT %s FROM %s", username, tablename);

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Habi Sajitha Ravi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Aug/18 11:13

Updated:: 16/Aug/18 12:59