Description
A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.
Remediation
References
https://baomidou.com/reference/about-cve/
https://github.com/FCncdn/MybatisPlusTenantPluginSQLInjection-POC/blob/master/Readme.en.md
Related Vulnerabilities
CVE-2023-46998 Vulnerability in maven package org.webjars.npm:bootbox
CVE-2019-5417 Vulnerability in npm package serve
CVE-2020-23814 Vulnerability in maven package com.xuxueli:xxl-job
CVE-2022-25901 Vulnerability in npm package cookiejar
CVE-2009-4611 Vulnerability in maven package org.mortbay.jetty:jetty