Open mend-for-github-com[bot] opened 10 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - mybatis-spring-boot-starter-1.3.2.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
Reachable
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-26945
### Vulnerable Library - mybatis-3.4.6.jarThe MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar
Dependency Hierarchy: - mybatis-spring-boot-starter-1.3.2.jar (Root Library) - :x: **mybatis-3.4.6.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.XXE (Application) -> org.slf4j.LoggerFactory (Extension) -> org.slf4j.impl.StaticLoggerBinder (Extension) -> org.mybatis.spring.SqlSessionTemplate (Extension) ... -> org.apache.ibatis.executor.loader.cglib.CglibProxyFactory (Extension) -> org.apache.ibatis.executor.loader.cglib.CglibProxyFactory$EnhancedDeserializationProxyImpl (Extension) -> ❌ org.apache.ibatis.executor.loader.AbstractSerialStateHolder (Vulnerable Component) ``` ### Vulnerability DetailsMyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-10
Fix Resolution (org.mybatis:mybatis): 3.5.6
Direct dependency fix Resolution (org.mybatis.spring.boot:mybatis-spring-boot-starter): 2.1.4
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules