Apiman Manager API affected by Jackson denial of service vulnerability

Impact

Due to a vulnerability in jackson-databind <= 2.12.6.0, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.

This does not affect the Apiman Gateway.

Patches

Upgrade to Apiman 3.0.0.Final or later.

If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.

Workarounds

If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability.

References

Apiman maintainer and security contact: marc@blackparrotlabs.io
https://nvd.nist.gov/vuln/detail/CVE-2020-36518
FasterXML/jackson-databind#2816

References

msavy published to apiman/apiman Jan 5, 2023

Published to the GitHub Advisory Database Jan 9, 2023

Reviewed Jan 9, 2023

Last updated Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code