October 25, 2020

CVE-2020-26945: MyBatis Remote Code Execution Vulnerability Alert

1 min read

MyBatis is a Java persistence framework that couples objects with stored procedures or SQL statements using an XML descriptor or annotations. MyBatis is free software that is distributed under the Apache License 2.0.CVE-2020-26945

On October 6, 2020, MyBatis officially released version 3.5.6, which fixes a remote code execution vulnerability. The vulnerability number is CVE-2020-26945.

When all of the following conditions are met, the attacker can trigger RCE (remote code execution).

  1. the user enabled the built-in 2nd level cache [1]
  2. the user did not set up the JEP-290 filter
  3. the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key

Affected version

  • Mybatis < 3.5.6


At present, the manufacturer has released upgrade patches to fix the vulnerabilities, and affected users are requested to upgrade Mybatis as soon as possible.