GHSA-q95j-488q-5q3p

Suggest an improvement
Source
https://github.com/advisories/GHSA-q95j-488q-5q3p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-q95j-488q-5q3p/GHSA-q95j-488q-5q3p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q95j-488q-5q3p
Published
2023-01-09T20:05:31Z
Modified
2023-01-09T20:05:31Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Apiman Manager API affected by Jackson denial of service vulnerability
Details

Impact

Due to a vulnerability in jackson-databind <= 2.12.6.0, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.

This does not affect the Apiman Gateway.

Patches

Upgrade to Apiman 3.0.0.Final or later.

If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.

Workarounds

If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability.

References

  • Apiman maintainer and security contact: marc@blackparrotlabs.io
  • https://nvd.nist.gov/vuln/detail/CVE-2020-36518
  • https://github.com/FasterXML/jackson-databind/issues/2816
Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-787"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:05:31Z"
}
References

Affected packages

Maven / io.apiman:apiman-manager-api-impl

Package

Name
io.apiman:apiman-manager-api-impl
View open source insights on deps.dev
Purl
pkg:maven/io.apiman/apiman-manager-api-impl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0.Final

Database specific 

{
    "last_known_affected_version_range": "<= 2.2.3.Final"
}