mybatis-spring-boot-starter-1.3.2.jar: 1 vulnerabilities (highest severity is: 8.1) reachable

[mend-for-github-com[bot]]

Vulnerable Library - mybatis-spring-boot-starter-1.3.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (mybatis-spring-boot-starter version)	Remediation Possible**	Reachability
CVE-2020-26945	High	8.1	Not Defined	0.4%	mybatis-3.4.6.jar	Transitive	2.1.4	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-26945

### Vulnerable Library - mybatis-3.4.6.jar

The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/mybatis-3

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar

Dependency Hierarchy: - mybatis-spring-boot-starter-1.3.2.jar (Root Library) - :x: **mybatis-3.4.6.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.XXE (Application) -> org.apache.commons.digester3.Digester (Extension) -> org.apache.commons.digester3.ObjectCreateRule (Extension) -> org.apache.ibatis.session.Configuration (Extension) ... -> org.apache.ibatis.builder.MapperBuilderAssistant (Extension) -> org.apache.ibatis.mapping.CacheBuilder (Extension) -> ❌ org.apache.ibatis.cache.decorators.SerializedCache (Vulnerable Component) ```

### Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-10-26

Fix Resolution (org.mybatis:mybatis): 3.5.6

Direct dependency fix Resolution (org.mybatis.spring.boot:mybatis-spring-boot-starter): 2.1.4

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules