ALT-PU-2026-2190-1

Package update mybatis in branch sisyphus

Version3.5.19-alt1

Published2026-01-22

Max severityCRITICAL

Severity:

Closed issues (5)

HIGH8.1

Уязвимость персистентного фреймворка MyBatis языка программирования Java(Kotlin) , связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код

Published: 2025-04-11

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-26945

HIGH8.1

MyBatis before 3.5.6 mishandles deserialization of object streams.

Published: 2020-10-10Modified: 2024-11-21

CVSS 2.0MEDIUM 5.1

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CRITICAL9.8

A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.

Published: 2023-04-05Modified: 2024-11-21

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-32qq-m9fh-f74w

CRITICAL9.8

MyBatis-Plus vulnerable to SQL injection via TenantPlugin

Published: 2023-04-05Modified: 2024-06-03

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-qq48-m4jx-xqh8

HIGH8.1

"Deserialization errors in MyBatis"

Published: 2021-04-22Modified: 2021-04-21

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References