Description
A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.
Remediation
References
https://baomidou.com/reference/about-cve/
https://github.com/FCncdn/MybatisPlusTenantPluginSQLInjection-POC/blob/master/Readme.en.md
Related Vulnerabilities
CVE-2023-40344 Vulnerability in maven package org.jenkins-ci.plugins:delphix
CVE-2021-38384 Vulnerability in npm package serverless-offline
CVE-2021-3190 Vulnerability in npm package async-git
CVE-2022-40151 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-37958 Vulnerability in maven package org.jenkins-ci.plugins:sumologic-publisher