Apiman Manager API affected by Jackson denial of service vulnerability
Package
Affected versions
<= 2.2.3.Final
Patched versions
3.0.0.Final
Description
Published to the GitHub Advisory Database
Jan 9, 2023
Reviewed
Jan 9, 2023
Last updated
Jan 9, 2023
Impact
Due to a vulnerability in
jackson-databind <= 2.12.6.0
, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.This does not affect the Apiman Gateway.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.
Workarounds
If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability.
References
References