CVE-2020-8840 affects jackson-databind library versions 2.0.0 through 184.108.40.206.
API Portal 4.5.x uses:
API Portal 5.0.x uses:
Are both Portal versions impacted?
A flaw was found in FasterXML jackson-databind a "gadget" exploit is possible due to a lack of a Java object being blocking from being deserialized. FasterXML jackson-databind 2.0.0 through 220.127.116.11 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
API Portal 5.1 is packaged with jackson-databind to 2.10.x which is not affected by this vulnerability.
Although the previous version of API Portal may not be directly impacted (vulnerability criteria are not matched for the exploit to be successful), we still recommend upgrading the production Portal to 5.1.x
Vulnerability Reference : CVE-2020-8840