MyBatis is a Java persistence framework that couples objects with stored procedures or SQL statements using an XML descriptor or annotations. MyBatis is free software that is distributed under the Apache License 2.0.
When all of the following conditions are met, the attacker can trigger RCE (remote code execution).
- the user enabled the built-in 2nd level cache 
- the user did not set up the JEP-290 filter
- the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key
- Mybatis < 3.5.6
At present, the manufacturer has released upgrade patches to fix the vulnerabilities, and affected users are requested to upgrade Mybatis as soon as possible.