Description
A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.
Remediation
References
https://github.com/FCncdn/MybatisPlusTenantPluginSQLInjection-POC/blob/master/Readme.en.md
https://baomidou.com/reference/about-cve/
Related Vulnerabilities
CVE-2023-46604 Vulnerability in maven package org.apache.activemq:activemq-openwire-legacy
CVE-2018-19837 Vulnerability in maven package org.webjars.npm:node-sass
CVE-2020-7727 Vulnerability in npm package gedi
CVE-2014-3577 Vulnerability in maven package org.apache.httpcomponents:httpclient
CVE-2019-0227 Vulnerability in maven package org.apache.axis:axis-rt-core