CVE-2020-26945: MyBatis Remote Code Execution Vulnerability Alert
MyBatis is a Java persistence framework that couples objects with stored procedures or SQL statements using an XML descriptor or annotations. MyBatis is free software that is distributed under the Apache License 2.0.
When all of the following conditions are met, the attacker can trigger RCE (remote code execution).
- the user enabled the built-in 2nd level cache [1]
- the user did not set up the JEP-290 filter
- the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key
Affected version
- Mybatis < 3.5.6
Solution
At present, the manufacturer has released upgrade patches to fix the vulnerabilities, and affected users are requested to upgrade Mybatis as soon as possible.