CVE-2022-25517
📋 TL;DR
CVE-2022-25517 is a SQL injection vulnerability in MyBatis Plus v3.4.3 that allows attackers to execute arbitrary SQL commands through the Column parameter in AbstractWrapper.java. This affects applications using vulnerable versions of MyBatis Plus with user-controlled input passed to column methods. The vendor disputes this as a vulnerability, stating it's intended behavior.
💻 Affected Systems
- MyBatis Plus
📦 What is this software?
Mybatis Plus by Baomidou
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including data theft, modification, deletion, and potential remote code execution via database functions.
Likely Case
Data exfiltration, privilege escalation, and application data manipulation.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires user input to reach vulnerable column methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/baomidou/mybatis-plus/issues/4407
Restart Required: No
Instructions:
No official patch. Vendor considers this intended behavior. Upgrade to newer versions and implement proper input validation.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all user-provided column names and prevent dynamic column selection from untrusted sources.
Use Parameterized Queries
allAvoid using column() methods with dynamic user input. Use static column names or whitelist allowed columns.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all column parameters
- Use web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if using MyBatis Plus v3.4.3 and if application uses column() methods with user input.Check Version:
Check pom.xml or build.gradle for mybatis-plus-boot-starter versionVerify Fix Applied:
Verify no user input reaches column() methods and all column names are validated/whitelisted.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries with dynamic column names
- SQL syntax errors from unexpected column values
Network Indicators:
- SQL injection patterns in HTTP parameters
SIEM Query:
source="application_logs" AND ("column(" OR "AbstractWrapper") AND (sql_error OR injection_pattern)