Open dev-mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/core/
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-26945
### Vulnerable Library - mybatis-3.1.1.jarThe MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/core/
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar
Dependency Hierarchy: - :x: **mybatis-3.1.1.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` com.ksa.dao.mybatis.plugin.PaginationPlugin (Application) -> org.apache.ibatis.session.Configuration (Extension) -> org.apache.ibatis.builder.ResultMapResolver (Extension) -> org.apache.ibatis.builder.MapperBuilderAssistant (Extension) -> org.apache.ibatis.mapping.CacheBuilder (Extension) -> ❌ org.apache.ibatis.cache.decorators.SerializedCache (Vulnerable Component) ``` ### Vulnerability DetailsMyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-26
Fix Resolution: 3.5.6
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.