https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Bug ID: 1887257 Summary: CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mkaplan@redhat.com CC: aileenc@redhat.com, bibryam@redhat.com, chazlett@redhat.com, drieden@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, jwon@redhat.com, pantinor@redhat.com, puntogil@libero.it Target Milestone: --- Classification: Other
MyBatis before 3.5.6 mishandles deserialization of object streams.
References:
https://github.com/mybatis/mybatis-3/compare/mybatis-3.5.5...mybatis-3.5.6 https://github.com/mybatis/mybatis-3/pull/2079