摘要:
mybatis security update
安全等级: Critical
公告ID: KylinSec-SA-2023-1915
发布日期: 2023年12月29日
关联CVE: CVE-2023-25330
The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools. To use the MyBatis data mapper, you rely on your own objects, XML, and SQL. There is little to learn that you don't already know. With the MyBatis data mapper, you have the full power of both SQL and stored procedures at your fingertips. The MyBatis project is developed and maintained by a team that includes the original creators of the "iBATIS" data mapper. The Apache project was retired and continued here.
Security Fix(es):
A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.(CVE-2023-25330)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-25330 | KY3.4-4A | mybatis | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| mybatis-javadoc | noarch | 3.5.8-1.kb1.ky3_4 |
| mybatis | noarch | 3.5.8-1.kb1.ky3_4 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
