CVE-2023-25330: 
Java vulnerability analysis and mitigation

CVE-2023-25330 is a SQL injection vulnerability discovered in Mybatis plus versions below 3.5.3.1. The vulnerability allows remote attackers to execute arbitrary SQL commands via the tenant ID value. This vulnerability is currently marked as DISPUTED, as the vendor states that this issue only occurs in misconfigured applications, and their documentation provides guidance on how to develop applications that avoid SQL injection (CVE Details, MITRE CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically relates to the tenant plugin's handling of tenant ID values when constructing SQL expressions. The vulnerability occurs when the application has enabled the tenant plugin and the tenant ID is controllable by an external user (NVD).

If successfully exploited, this SQL injection vulnerability could allow attackers to read sensitive data from the database, modify database contents (insert/update/delete operations), execute administrative operations on the database, recover content from files present in the DBMS file system, and potentially issue commands to the operating system (GitHub POC).

The vendor recommends several mitigation strategies: 1) Avoid allowing SQL fragments to be transmitted from the frontend, 2) Use SqlInjectionUtils.check() method to validate string content for SQL injection, 3) Implement proper tenant ID validation and filtering, 4) Use LambdaQueryWrapper or LambdaUpdateWrapper for stricter condition construction (Baomidou Docs).

The vendor has disputed this vulnerability, stating that it only occurs in misconfigured applications and that their documentation adequately discusses how to develop applications that avoid SQL injection. They maintain that this is more of an implementation issue rather than a framework vulnerability (Baomidou Docs).