MyBatis before 3.5.6 mishandles deserialization of object streams. References: https://github.com/mybatis/mybatis-3/compare/mybatis-3.5.5...mybatis-3.5.6 https://github.com/mybatis/mybatis-3/pull/2079
Created mybatis tracking bugs for this issue: Affects: fedora-31 [bug 1887258]
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26945