https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Bug ID: 1887257 Summary: CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mkaplan@redhat.com CC: aileenc@redhat.com, bibryam@redhat.com, chazlett@redhat.com, drieden@redhat.com, extras-orphan@fedoraproject.org, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, jwon@redhat.com, pantinor@redhat.com, puntogil@libero.it Target Milestone: --- Classification: Other
MyBatis before 3.5.6 mishandles deserialization of object streams.
References:
https://github.com/mybatis/mybatis-3/compare/mybatis-3.5.5...mybatis-3.5.6 https://github.com/mybatis/mybatis-3/pull/2079
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Michael Kaplan mkaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1887258
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1887258 [Bug 1887258] CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution [fedora-31]
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
--- Comment #1 from Michael Kaplan mkaplan@redhat.com --- Created mybatis tracking bugs for this issue:
Affects: fedora-31 [bug 1887258]
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Michael Kaplan mkaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1887259
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |mybatis 3.5.6
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
--- Comment #2 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1887257 Bug 1887257 depends on bug 1887258, which changed state.
Bug 1887258 Summary: CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution [fedora-31] https://bugzilla.redhat.com/show_bug.cgi?id=1887258
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1887257
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-08-11 19:28:41
--- Comment #5 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-26945
java-sig-commits@lists.fedoraproject.org