CVE-2020-26945: MyBatis Remote Code Execution Vulnerability Alert
MyBatis is a Java persistence framework that couples objects with stored procedures or SQL statements using an XML descriptor or annotations. MyBatis is free software that is distributed under the Apache License 2.0.
On October 6, 2020, MyBatis officially released version 3.5.6, which fixes a remote code execution vulnerability. The vulnerability number is CVE-2020-26945.
When all of the following conditions are met, the attacker can trigger RCE (remote code execution).
- the user enabled the built-in 2nd level cache [1]
- the user did not set up the JEP-290 filter
- the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key
Affected version
- Mybatis < 3.5.6
Solution
At present, the manufacturer has released upgrade patches to fix the vulnerabilities, and affected users are requested to upgrade Mybatis as soon as possible.
