Описание
MyBatis PageHelper vulnerable to time-blind SQL injection via orderBy parameter
MyBatis PageHelper versions 3.5.x through 5.3.x were discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-28111
- https://github.com/pagehelper/Mybatis-PageHelper/issues/674
- https://github.com/pagehelper/Mybatis-PageHelper/commit/554a524af2d2b30d09505516adc412468a84d8fa
- https://github.com/pagehelper/Mybatis-PageHelper.git
- https://github.com/yangfar/CVE/blob/main/CVE-2022-42227.md
- https://pagehelper.github.io
- https://www.cnblogs.com/secload/articles/16061420.html
Пакеты
Наименование
com.github.pagehelper:pagehelper
maven
Затронутые версииВерсия исправления
>= 3.5.0, < 5.3.1
5.3.1
Связанные уязвимости
CVSS3: 9.8
nvd
почти 4 года назад
MyBatis PageHelper v1.x.x-v3.7.0 v4.0.0-v5.0.0,v5.1.0-v5.3.0 was discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.