Search
Find a vulnerability
Search criteria
10 vulnerabilities found for Apache Mesos by Apache Software Foundation
CVE-2018-11793 (GCVE-0-2018-11793)
Vulnerability from nvd – Published: 2019-03-05 21:00 – Updated: 2024-09-16 16:27
VLAI
Summary
When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/107281 | vdb-entryx_refsource_BID |
| https://lists.apache.org/thread.html/9be975c53e5a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0
|
Date Public
2019-03-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
],
"datePublic": "2019-03-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-06T10:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-03-04T00:00:00",
"ID": "CVE-2018-11793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107281",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107281"
},
{
"name": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11793",
"datePublished": "2019-03-05T21:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:53.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8023 (GCVE-0-2018-8023)
Vulnerability from nvd – Published: 2018-09-21 13:00 – Updated: 2024-09-16 16:58
VLAI
Summary
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/9b9d3f6bd09f… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0dd7ff197b2… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.4.2
Affected: 1.5.0, 1.5.1 Affected: 1.6.0 |
Date Public
2018-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0, 1.5.1"
},
{
"status": "affected",
"version": "1.6.0"
}
]
}
],
"datePublic": "2018-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-22T12:06:43.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-21T00:00:00",
"ID": "CVE-2018-8023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.4.2"
},
{
"version_value": "1.5.0, 1.5.1"
},
{
"version_value": "1.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8023",
"datePublished": "2018-09-21T13:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:25.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1330 (GCVE-0-2018-1330)
Vulnerability from nvd – Published: 2018-09-13 19:00 – Updated: 2024-09-16 20:42
VLAI
Summary
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/395cb6bcf367… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
1.4.0 to 1.5.0
|
Date Public
2018-09-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.0 to 1.5.0"
}
]
}
],
"datePublic": "2018-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-13T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-13T00:00:00",
"ID": "CVE-2018-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "1.4.0 to 1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1330",
"datePublished": "2018-09-13T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:42:57.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9790 (GCVE-0-2017-9790)
Vulnerability from nvd – Published: 2017-09-28 20:00 – Updated: 2024-09-16 22:14
VLAI
Summary
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/cc1e7a69ea78… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101023 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-9790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9790",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:14:23.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7687 (GCVE-0-2017-7687)
Vulnerability from nvd – Published: 2017-09-28 20:00 – Updated: 2024-09-16 16:43
VLAI
Summary
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/2c9ed2b07c2b… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101027 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-7687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7687",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-04-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:43:52.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11793 (GCVE-0-2018-11793)
Vulnerability from cvelistv5 – Published: 2019-03-05 21:00 – Updated: 2024-09-16 16:27
VLAI
Summary
When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/107281 | vdb-entryx_refsource_BID |
| https://lists.apache.org/thread.html/9be975c53e5a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0
|
Date Public
2019-03-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
],
"datePublic": "2019-03-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-06T10:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-03-04T00:00:00",
"ID": "CVE-2018-11793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107281",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107281"
},
{
"name": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11793",
"datePublished": "2019-03-05T21:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:53.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8023 (GCVE-0-2018-8023)
Vulnerability from cvelistv5 – Published: 2018-09-21 13:00 – Updated: 2024-09-16 16:58
VLAI
Summary
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/9b9d3f6bd09f… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0dd7ff197b2… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.4.2
Affected: 1.5.0, 1.5.1 Affected: 1.6.0 |
Date Public
2018-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0, 1.5.1"
},
{
"status": "affected",
"version": "1.6.0"
}
]
}
],
"datePublic": "2018-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-22T12:06:43.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-21T00:00:00",
"ID": "CVE-2018-8023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.4.2"
},
{
"version_value": "1.5.0, 1.5.1"
},
{
"version_value": "1.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8023",
"datePublished": "2018-09-21T13:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:25.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1330 (GCVE-0-2018-1330)
Vulnerability from cvelistv5 – Published: 2018-09-13 19:00 – Updated: 2024-09-16 20:42
VLAI
Summary
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/395cb6bcf367… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
1.4.0 to 1.5.0
|
Date Public
2018-09-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.0 to 1.5.0"
}
]
}
],
"datePublic": "2018-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-13T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-13T00:00:00",
"ID": "CVE-2018-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "1.4.0 to 1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1330",
"datePublished": "2018-09-13T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:42:57.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7687 (GCVE-0-2017-7687)
Vulnerability from cvelistv5 – Published: 2017-09-28 20:00 – Updated: 2024-09-16 16:43
VLAI
Summary
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/2c9ed2b07c2b… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101027 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-7687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7687",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-04-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:43:52.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9790 (GCVE-0-2017-9790)
Vulnerability from cvelistv5 – Published: 2017-09-28 20:00 – Updated: 2024-09-16 22:14
VLAI
Summary
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/cc1e7a69ea78… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101023 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-9790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9790",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:14:23.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}