Remote Code Execution (RCE)

Affecting org.mybatis:mybatis artifact, versions [,3.5.6)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.mybatis:mybatis is a SQL mapper framework

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It mishandles deserialization of object streams. All of the following conditions needs to be met in order to trigger RCE.

  1. the user enabled the built-in 2nd level cache [1]
  2. the user did not setup JEP-290 filter
  3. the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key

    Remediation

    Upgrade org.mybatis:mybatis to version 3.5.6 or higher.

    References

CVSS Score

6.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Credit
Unknown
CVE
CVE-2020-26945
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGMYBATIS-1017032
Disclosed
11 Oct, 2020
Published
11 Oct, 2020