Lucene search

K
osvGoogleOSV:GHSA-Q95J-488Q-5Q3P
HistoryJan 09, 2023 - 8:05 p.m.

Apiman Manager API affected by Jackson denial of service vulnerability

2023-01-0920:05:31
Google
osv.dev
11
apiman
manager
api
jackson
denial of service
vulnerability
configuration
denial of service
patch
upgrade
workarounds
nvd
cve-2020-36518
security
contact
nist
issues
software

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

60.0%

Impact

Due to a vulnerability in jackson-databind <= 2.12.6.0, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.

This does not affect the Apiman Gateway.

Patches

Upgrade to Apiman 3.0.0.Final or later.

If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.

Workarounds

If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability.

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

60.0%