CVE-2023-25330

CRITICAL

Mybatis Plus < 3.5.3.1 - SQL Injection via Tenant ID Valuer

Title source: llm
STIX 2.1

Description

A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.

Scores

CVSS v3 9.8
EPSS 0.0121
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
com.baomidou/mybatis-plus 0 - 3.5.3.1Maven
mybatis/mybatis < 3.5.3.1
Published Apr 05, 2023
Tracked Since Feb 18, 2026