Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3725

Possible SQL injection

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.8.0
    • Fix Version/s: None
    • Component/s: security

      Description

      I was playing with Zeppelin. I found JdbcRealm implementation could result in SQL injection.  I am not sure about the exploitability. Since  an untrusted user need to modify the config.

       

      vulnerable code 

      userquery = String.format("SELECT %s FROM %s", username, tablename);

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              1ab1 Habi Sajitha Ravi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: