mybatis-spring-boot-starter-1.3.2.jar: 1 vulnerabilities (highest severity is: 8.1) reachable

[mend-for-github-com]

Vulnerable Library - mybatis-spring-boot-starter-1.3.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (mybatis-spring-boot-starter version)	Remediation Possible**	Reachability
CVE-2020-26945	High	8.1	Not Defined	1.2%	mybatis-3.4.6.jar	Transitive	2.1.4	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-26945

Vulnerable Library - mybatis-3.4.6.jar

The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar

Dependency Hierarchy:

• mybatis-spring-boot-starter-1.3.2.jar (Root Library)
  • ❌ mybatis-3.4.6.jar (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.joychou.mapper.UserMapper (Application)
  -> ❌ org.apache.ibatis.annotations.Select (Vulnerable Component)

Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-10

Fix Resolution (org.mybatis:mybatis): 3.5.6

Direct dependency fix Resolution (org.mybatis.spring.boot:mybatis-spring-boot-starter): 2.1.4

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.