CVE-2023-25330
📋 TL;DR
A SQL injection vulnerability in Mybatis Plus versions below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands by manipulating tenant ID values. This affects applications using Mybatis Plus with multi-tenancy features. The vendor states this only occurs in misconfigured applications that don't follow secure development practices.
💻 Affected Systems
- Mybatis Plus
📦 What is this software?
Mybatis by Mybatis
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including data theft, modification, deletion, and potential remote code execution through database functions.
Likely Case
Data exfiltration, privilege escalation, and unauthorized data access through SQL injection.
If Mitigated
No impact if proper input validation and parameterized queries are implemented as per vendor documentation.
🎯 Exploit Status
Public proof-of-concept available. Exploitation requires access to tenant ID parameter without proper input validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.3.1 and later
Vendor Advisory: https://baomidou.com/reference/about-cve/
Restart Required: Yes
Instructions:
1. Update Mybatis Plus dependency to version 3.5.3.1 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Test multi-tenancy functionality.
🔧 Temporary Workarounds
Implement Input Validation
allAdd strict input validation for tenant ID parameters before passing to Mybatis Plus
Disable Multi-Tenancy
allTemporarily disable multi-tenancy features if not required
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns in tenant ID parameters
- Apply strict input validation and use parameterized queries for all tenant ID handling
🔍 How to Verify
Check if Vulnerable:
Check Mybatis Plus version in dependencies. If below 3.5.3.1 and using multi-tenancy features, assume vulnerable.Check Version:
Check pom.xml for <version>com.baomidou:mybatis-plus-boot-starter</version> or equivalent in build.gradleVerify Fix Applied:
Verify Mybatis Plus version is 3.5.3.1 or later in dependencies and test multi-tenancy functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries with tenant ID parameters
- SQL syntax errors in tenant context
- Multiple failed login attempts with SQL-like patterns
Network Indicators:
- HTTP requests with SQL injection patterns in tenant ID parameters
- Unusual database connection patterns from application servers
SIEM Query:
source="application_logs" AND ("tenant_id" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "UPDATE" OR "--" OR "'" OR ";"))