The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented
applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or
annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping
tools.
Vulnerable Library - mybatis-spring-boot-starter-1.3.2.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar
Vulnerabilities
Reachable
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-26945
### Vulnerable Library - mybatis-3.4.6.jarThe MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/mybatis-3
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar
Dependency Hierarchy: - mybatis-spring-boot-starter-1.3.2.jar (Root Library) - :x: **mybatis-3.4.6.jar** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.XXE (Application) -> org.apache.commons.digester3.Digester (Extension) -> org.apache.commons.digester3.ObjectCreateRule (Extension) -> org.apache.ibatis.session.Configuration (Extension) ... -> org.apache.ibatis.builder.MapperBuilderAssistant (Extension) -> org.apache.ibatis.mapping.CacheBuilder (Extension) -> ❌ org.apache.ibatis.cache.decorators.SerializedCache (Vulnerable Component) ``` ### Vulnerability DetailsMyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-26
Fix Resolution (org.mybatis:mybatis): 3.5.6
Direct dependency fix Resolution (org.mybatis.spring.boot:mybatis-spring-boot-starter): 2.1.4
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules