Remote Code Execution (RCE)
Affecting org.mybatis:mybatis artifact, versions [,3.5.6)Report new vulnerabilities
org.mybatis:mybatis is a SQL mapper framework
Affected versions of this package are vulnerable to Remote Code Execution (RCE). It mishandles deserialization of object streams. All of the following conditions needs to be met in order to trigger RCE.
- the user enabled the built-in 2nd level cache 
- the user did not setup JEP-290 filter
- the attacker found a way to modify entries of the private Map field i.e.
org.apache.ibatis.cache.impl.PerpetualCache.cacheand a valid cache key
org.mybatis:mybatisto version 3.5.6 or higher.