Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xOTVqLTQ4OHEtNXEzcM4AAw0v
Apiman Manager API affected by Jackson denial of service vulnerability
Impact
Due to a vulnerability in jackson-databind <= 2.12.6.0, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.
This does not affect the Apiman Gateway.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.
Workarounds
If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability.
References
- Apiman maintainer and security contact: [email protected]
- https://nvd.nist.gov/vuln/detail/CVE-2020-36518
- https://github.com/FasterXML/jackson-databind/issues/2816
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xOTVqLTQ4OHEtNXEzcM4AAw0v
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-q95j-488q-5q3p
References:
- https://github.com/apiman/apiman/security/advisories/GHSA-q95j-488q-5q3p
- https://nvd.nist.gov/vuln/detail/CVE-2020-36518
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://github.com/advisories/GHSA-q95j-488q-5q3p
Blast Radius: 1.0
Affected Packages
maven:io.apiman:apiman-manager-api-impl
Affected Version Ranges: <= 2.2.3.FinalFixed in: 3.0.0.Final