Search
Find a vulnerability
Search criteria
18 vulnerabilities found for mesos by apache
CVE-2019-0204 (GCVE-0-2019-0204)
Vulnerability from nvd – Published: 2019-03-25 21:43 – Updated: 2024-08-04 17:44
VLAI
Summary
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
Severity
No CVSS data available.
CWE
- Other
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/b162dd624dc0… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/107605 | vdb-entryx_refsource_BID |
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisoryx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Mesos |
Affected:
pre-1.4.x
Affected: 1.4.0 to 1.4.2 Affected: 1.5.0 to 1.5.2 Affected: 1.6.0 to 1.6.1 Affected: 1.7.0 to 1.7.1 |
Date Public
2019-03-23 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:14.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "pre-1.4.x"
},
{
"status": "affected",
"version": "1.4.0 to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0 to 1.5.2"
},
{
"status": "affected",
"version": "1.6.0 to 1.6.1"
},
{
"status": "affected",
"version": "1.7.0 to 1.7.1"
}
]
}
],
"datePublic": "2019-03-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T23:06:47.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "pre-1.4.x"
},
{
"version_value": "1.4.0 to 1.4.2"
},
{
"version_value": "1.5.0 to 1.5.2"
},
{
"version_value": "1.6.0 to 1.6.1"
},
{
"version_value": "1.7.0 to 1.7.1"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0204",
"datePublished": "2019-03-25T21:43:04.000Z",
"dateReserved": "2018-11-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:44:14.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11793 (GCVE-0-2018-11793)
Vulnerability from nvd – Published: 2019-03-05 21:00 – Updated: 2024-09-16 16:27
VLAI
Summary
When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/107281 | vdb-entryx_refsource_BID |
| https://lists.apache.org/thread.html/9be975c53e5a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0
|
Date Public
2019-03-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
],
"datePublic": "2019-03-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-06T10:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-03-04T00:00:00",
"ID": "CVE-2018-11793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107281",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107281"
},
{
"name": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11793",
"datePublished": "2019-03-05T21:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:53.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5736 (GCVE-0-2019-5736)
Vulnerability from nvd – Published: 2019-02-11 00:00 – Updated: 2024-08-04 20:01
VLAI
Summary
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
66 references
Date Public
2019-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d"
},
{
"name": "RHSA-2019:0408",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0408"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rancher/runc-cve"
},
{
"name": "RHSA-2019:0401",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0401"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_06"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190307-0008/"
},
{
"name": "RHSA-2019:0303",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0303"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/q3k/cve-2019-5736-poc"
},
{
"name": "46359",
"tags": [
"exploit",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46359/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b"
},
{
"tags": [
"x_transferred"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/02/11/2"
},
{
"tags": [
"x_transferred"
],
"url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2019-5736"
},
{
"name": "46369",
"tags": [
"exploit",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46369/"
},
{
"name": "RHSA-2019:0304",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0304"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Frichetten/CVE-2019-5736-PoC"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03913en_us"
},
{
"tags": [
"x_transferred"
],
"url": "https://brauner.github.io/2019/02/12/privileged-containers.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/"
},
{
"tags": [
"x_transferred"
],
"url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc"
},
{
"name": "106976",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106976"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/vulnerabilities/runcescape"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967"
},
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[mesos-user] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E"
},
{
"name": "[oss-security] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/23/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1227",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html"
},
{
"name": "openSUSE-SU-2019:1275",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html"
},
{
"name": "FEDORA-2019-bc70b381ad",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/"
},
{
"name": "FEDORA-2019-6174b47003",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/"
},
{
"tags": [
"x_transferred"
],
"url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944"
},
{
"name": "RHSA-2019:0975",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0975"
},
{
"tags": [
"x_transferred"
],
"url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/"
},
{
"tags": [
"x_transferred"
],
"url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/"
},
{
"name": "[dlab-dev] 20190524 [jira] [Created] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[dlab-dev] 20190524 [jira] [Updated] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1481",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "[oss-security] 20190628 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/06/28/2"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/3"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/4"
},
{
"name": "USN-4048-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4048-1/"
},
{
"name": "openSUSE-SU-2019:2021",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html"
},
{
"name": "FEDORA-2019-2baa1f7b19",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/"
},
{
"name": "FEDORA-2019-c1dac1b3b8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/"
},
{
"name": "[dlab-dev] 20190923 [jira] [Assigned] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:2245",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html"
},
{
"name": "openSUSE-SU-2019:2286",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html"
},
{
"name": "[oss-security] 20191023 Membership application for linux-distros - VMware",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/24/1"
},
{
"name": "[oss-security] 20191029 Re: Membership application for linux-distros - VMware",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/29/3"
},
{
"name": "GLSA-202003-21",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-21"
},
{
"name": "[dlab-dev] 20200525 [jira] [Deleted] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html"
},
{
"name": "[oss-security] 20240201 runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/6"
},
{
"name": "[oss-security] 20240201 Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"
},
{
"name": "[oss-security] 20240202 Re: Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T12:06:25.591Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d"
},
{
"name": "RHSA-2019:0408",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0408"
},
{
"url": "https://github.com/rancher/runc-cve"
},
{
"name": "RHSA-2019:0401",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0401"
},
{
"url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2"
},
{
"url": "https://www.synology.com/security/advisory/Synology_SA_19_06"
},
{
"url": "https://security.netapp.com/advisory/ntap-20190307-0008/"
},
{
"name": "RHSA-2019:0303",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0303"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc"
},
{
"url": "https://github.com/q3k/cve-2019-5736-poc"
},
{
"name": "46359",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46359/"
},
{
"url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b"
},
{
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2019/02/11/2"
},
{
"url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/"
},
{
"url": "https://access.redhat.com/security/cve/cve-2019-5736"
},
{
"name": "46369",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46369/"
},
{
"name": "RHSA-2019:0304",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0304"
},
{
"url": "https://github.com/Frichetten/CVE-2019-5736-PoC"
},
{
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03913en_us"
},
{
"url": "https://brauner.github.io/2019/02/12/privileged-containers.html"
},
{
"url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/"
},
{
"url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc"
},
{
"name": "106976",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/106976"
},
{
"url": "https://access.redhat.com/security/vulnerabilities/runcescape"
},
{
"url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967"
},
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[mesos-user] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E"
},
{
"name": "[oss-security] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/23/1"
},
{
"url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1227",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html"
},
{
"name": "openSUSE-SU-2019:1275",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html"
},
{
"name": "FEDORA-2019-bc70b381ad",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/"
},
{
"name": "FEDORA-2019-6174b47003",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/"
},
{
"url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944"
},
{
"name": "RHSA-2019:0975",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0975"
},
{
"url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/"
},
{
"url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/"
},
{
"name": "[dlab-dev] 20190524 [jira] [Created] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[dlab-dev] 20190524 [jira] [Updated] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1481",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "[oss-security] 20190628 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/06/28/2"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/3"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/4"
},
{
"name": "USN-4048-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4048-1/"
},
{
"name": "openSUSE-SU-2019:2021",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html"
},
{
"name": "FEDORA-2019-2baa1f7b19",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/"
},
{
"name": "FEDORA-2019-c1dac1b3b8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/"
},
{
"name": "[dlab-dev] 20190923 [jira] [Assigned] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:2245",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html"
},
{
"name": "openSUSE-SU-2019:2286",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html"
},
{
"name": "[oss-security] 20191023 Membership application for linux-distros - VMware",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/24/1"
},
{
"name": "[oss-security] 20191029 Re: Membership application for linux-distros - VMware",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/29/3"
},
{
"name": "GLSA-202003-21",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-21"
},
{
"name": "[dlab-dev] 20200525 [jira] [Deleted] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
},
{
"url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html"
},
{
"url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html"
},
{
"name": "[oss-security] 20240201 runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/6"
},
{
"name": "[oss-security] 20240201 Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"
},
{
"name": "[oss-security] 20240202 Re: Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-5736",
"datePublished": "2019-02-11T00:00:00.000Z",
"dateReserved": "2019-01-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:01:52.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000421 (GCVE-0-2018-1000421)
Vulnerability from nvd – Published: 2019-01-09 23:00 – Updated: 2024-08-05 12:40
VLAI
Summary
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106532 | vdb-entryx_refsource_BID |
| https://jenkins.io/security/advisory/2018-09-25/#… | x_refsource_CONFIRM |
Date Public
2018-09-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%282%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-28T00:00:00.000Z",
"datePublic": "2018-09-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-14T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%282%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-28T04:34:37.684154",
"ID": "CVE-2018-1000421",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106532"
},
{
"name": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000421",
"datePublished": "2019-01-09T23:00:00.000Z",
"dateReserved": "2019-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:47.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000420 (GCVE-0-2018-1000420)
Vulnerability from nvd – Published: 2019-01-09 23:00 – Updated: 2024-08-05 12:40
VLAI
Summary
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106532 | vdb-entryx_refsource_BID |
| https://jenkins.io/security/advisory/2018-09-25/#… | x_refsource_CONFIRM |
Date Public
2018-09-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%281%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-28T00:00:00.000Z",
"datePublic": "2018-09-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-14T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%281%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-28T04:34:37.683653",
"ID": "CVE-2018-1000420",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106532"
},
{
"name": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000420",
"datePublished": "2019-01-09T23:00:00.000Z",
"dateReserved": "2019-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:46.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8023 (GCVE-0-2018-8023)
Vulnerability from nvd – Published: 2018-09-21 13:00 – Updated: 2024-09-16 16:58
VLAI
Summary
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/9b9d3f6bd09f… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0dd7ff197b2… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.4.2
Affected: 1.5.0, 1.5.1 Affected: 1.6.0 |
Date Public
2018-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0, 1.5.1"
},
{
"status": "affected",
"version": "1.6.0"
}
]
}
],
"datePublic": "2018-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-22T12:06:43.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-21T00:00:00",
"ID": "CVE-2018-8023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.4.2"
},
{
"version_value": "1.5.0, 1.5.1"
},
{
"version_value": "1.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8023",
"datePublished": "2018-09-21T13:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:25.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1330 (GCVE-0-2018-1330)
Vulnerability from nvd – Published: 2018-09-13 19:00 – Updated: 2024-09-16 20:42
VLAI
Summary
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/395cb6bcf367… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
1.4.0 to 1.5.0
|
Date Public
2018-09-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.0 to 1.5.0"
}
]
}
],
"datePublic": "2018-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-13T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-13T00:00:00",
"ID": "CVE-2018-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "1.4.0 to 1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1330",
"datePublished": "2018-09-13T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:42:57.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9790 (GCVE-0-2017-9790)
Vulnerability from nvd – Published: 2017-09-28 20:00 – Updated: 2024-09-16 22:14
VLAI
Summary
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/cc1e7a69ea78… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101023 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-9790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9790",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:14:23.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7687 (GCVE-0-2017-7687)
Vulnerability from nvd – Published: 2017-09-28 20:00 – Updated: 2024-09-16 16:43
VLAI
Summary
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/2c9ed2b07c2b… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101027 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-7687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7687",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-04-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:43:52.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0204 (GCVE-0-2019-0204)
Vulnerability from cvelistv5 – Published: 2019-03-25 21:43 – Updated: 2024-08-04 17:44
VLAI
Summary
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
Severity
No CVSS data available.
CWE
- Other
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/b162dd624dc0… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/107605 | vdb-entryx_refsource_BID |
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisoryx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Mesos |
Affected:
pre-1.4.x
Affected: 1.4.0 to 1.4.2 Affected: 1.5.0 to 1.5.2 Affected: 1.6.0 to 1.6.1 Affected: 1.7.0 to 1.7.1 |
Date Public
2019-03-23 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:14.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "pre-1.4.x"
},
{
"status": "affected",
"version": "1.4.0 to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0 to 1.5.2"
},
{
"status": "affected",
"version": "1.6.0 to 1.6.1"
},
{
"status": "affected",
"version": "1.7.0 to 1.7.1"
}
]
}
],
"datePublic": "2019-03-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T23:06:47.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "pre-1.4.x"
},
{
"version_value": "1.4.0 to 1.4.2"
},
{
"version_value": "1.5.0 to 1.5.2"
},
{
"version_value": "1.6.0 to 1.6.1"
},
{
"version_value": "1.7.0 to 1.7.1"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E"
},
{
"name": "107605",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107605"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0204",
"datePublished": "2019-03-25T21:43:04.000Z",
"dateReserved": "2018-11-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:44:14.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11793 (GCVE-0-2018-11793)
Vulnerability from cvelistv5 – Published: 2019-03-05 21:00 – Updated: 2024-09-16 16:27
VLAI
Summary
When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/107281 | vdb-entryx_refsource_BID |
| https://lists.apache.org/thread.html/9be975c53e5a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0
|
Date Public
2019-03-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
],
"datePublic": "2019-03-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-06T10:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "107281",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107281"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-03-04T00:00:00",
"ID": "CVE-2018-11793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107281",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107281"
},
{
"name": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11793",
"datePublished": "2019-03-05T21:00:00.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:53.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5736 (GCVE-0-2019-5736)
Vulnerability from cvelistv5 – Published: 2019-02-11 00:00 – Updated: 2024-08-04 20:01
VLAI
Summary
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
66 references
Date Public
2019-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d"
},
{
"name": "RHSA-2019:0408",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0408"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rancher/runc-cve"
},
{
"name": "RHSA-2019:0401",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0401"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_06"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190307-0008/"
},
{
"name": "RHSA-2019:0303",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0303"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/q3k/cve-2019-5736-poc"
},
{
"name": "46359",
"tags": [
"exploit",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46359/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b"
},
{
"tags": [
"x_transferred"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/02/11/2"
},
{
"tags": [
"x_transferred"
],
"url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2019-5736"
},
{
"name": "46369",
"tags": [
"exploit",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46369/"
},
{
"name": "RHSA-2019:0304",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0304"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Frichetten/CVE-2019-5736-PoC"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03913en_us"
},
{
"tags": [
"x_transferred"
],
"url": "https://brauner.github.io/2019/02/12/privileged-containers.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/"
},
{
"tags": [
"x_transferred"
],
"url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc"
},
{
"name": "106976",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106976"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/vulnerabilities/runcescape"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967"
},
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[mesos-user] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E"
},
{
"name": "[oss-security] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/23/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1227",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html"
},
{
"name": "openSUSE-SU-2019:1275",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html"
},
{
"name": "FEDORA-2019-bc70b381ad",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/"
},
{
"name": "FEDORA-2019-6174b47003",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/"
},
{
"tags": [
"x_transferred"
],
"url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944"
},
{
"name": "RHSA-2019:0975",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0975"
},
{
"tags": [
"x_transferred"
],
"url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/"
},
{
"tags": [
"x_transferred"
],
"url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/"
},
{
"name": "[dlab-dev] 20190524 [jira] [Created] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[dlab-dev] 20190524 [jira] [Updated] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1481",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "[oss-security] 20190628 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/06/28/2"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/3"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/4"
},
{
"name": "USN-4048-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4048-1/"
},
{
"name": "openSUSE-SU-2019:2021",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html"
},
{
"name": "FEDORA-2019-2baa1f7b19",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/"
},
{
"name": "FEDORA-2019-c1dac1b3b8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/"
},
{
"name": "[dlab-dev] 20190923 [jira] [Assigned] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:2245",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html"
},
{
"name": "openSUSE-SU-2019:2286",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html"
},
{
"name": "[oss-security] 20191023 Membership application for linux-distros - VMware",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/24/1"
},
{
"name": "[oss-security] 20191029 Re: Membership application for linux-distros - VMware",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/29/3"
},
{
"name": "GLSA-202003-21",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-21"
},
{
"name": "[dlab-dev] 20200525 [jira] [Deleted] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html"
},
{
"name": "[oss-security] 20240201 runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/6"
},
{
"name": "[oss-security] 20240201 Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"
},
{
"name": "[oss-security] 20240202 Re: Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T12:06:25.591Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d"
},
{
"name": "RHSA-2019:0408",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0408"
},
{
"url": "https://github.com/rancher/runc-cve"
},
{
"name": "RHSA-2019:0401",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0401"
},
{
"url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2"
},
{
"url": "https://www.synology.com/security/advisory/Synology_SA_19_06"
},
{
"url": "https://security.netapp.com/advisory/ntap-20190307-0008/"
},
{
"name": "RHSA-2019:0303",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0303"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc"
},
{
"url": "https://github.com/q3k/cve-2019-5736-poc"
},
{
"name": "46359",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46359/"
},
{
"url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b"
},
{
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2019/02/11/2"
},
{
"url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/"
},
{
"url": "https://access.redhat.com/security/cve/cve-2019-5736"
},
{
"name": "46369",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46369/"
},
{
"name": "RHSA-2019:0304",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0304"
},
{
"url": "https://github.com/Frichetten/CVE-2019-5736-PoC"
},
{
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03913en_us"
},
{
"url": "https://brauner.github.io/2019/02/12/privileged-containers.html"
},
{
"url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/"
},
{
"url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc"
},
{
"name": "106976",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/106976"
},
{
"url": "https://access.redhat.com/security/vulnerabilities/runcescape"
},
{
"url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967"
},
{
"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[mesos-user] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E"
},
{
"name": "[oss-security] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/23/1"
},
{
"url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003"
},
{
"name": "openSUSE-SU-2019:1079",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
},
{
"name": "openSUSE-SU-2019:1227",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html"
},
{
"name": "openSUSE-SU-2019:1275",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html"
},
{
"name": "FEDORA-2019-bc70b381ad",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/"
},
{
"name": "FEDORA-2019-6174b47003",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/"
},
{
"url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944"
},
{
"name": "RHSA-2019:0975",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0975"
},
{
"url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/"
},
{
"url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/"
},
{
"name": "[dlab-dev] 20190524 [jira] [Created] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[dlab-dev] 20190524 [jira] [Updated] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:1444",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1481",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html"
},
{
"name": "openSUSE-SU-2019:1499",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
},
{
"name": "openSUSE-SU-2019:1506",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
},
{
"name": "[oss-security] 20190628 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/06/28/2"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/3"
},
{
"name": "[oss-security] 20190706 Re: linux-distros membership application - Microsoft",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/07/06/4"
},
{
"name": "USN-4048-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4048-1/"
},
{
"name": "openSUSE-SU-2019:2021",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html"
},
{
"name": "FEDORA-2019-2baa1f7b19",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/"
},
{
"name": "FEDORA-2019-c1dac1b3b8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/"
},
{
"name": "[dlab-dev] 20190923 [jira] [Assigned] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "openSUSE-SU-2019:2245",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html"
},
{
"name": "openSUSE-SU-2019:2286",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html"
},
{
"name": "[oss-security] 20191023 Membership application for linux-distros - VMware",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/24/1"
},
{
"name": "[oss-security] 20191029 Re: Membership application for linux-distros - VMware",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/29/3"
},
{
"name": "GLSA-202003-21",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-21"
},
{
"name": "[dlab-dev] 20200525 [jira] [Deleted] (DLAB-723) Runc vulnerability CVE-2019-5736",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E"
},
{
"name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
},
{
"url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html"
},
{
"url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html"
},
{
"name": "[oss-security] 20240201 runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/6"
},
{
"name": "[oss-security] 20240201 Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"
},
{
"name": "[oss-security] 20240202 Re: Re: runc: CVE-2024-21626: high severity container breakout attack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-5736",
"datePublished": "2019-02-11T00:00:00.000Z",
"dateReserved": "2019-01-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:01:52.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000420 (GCVE-0-2018-1000420)
Vulnerability from cvelistv5 – Published: 2019-01-09 23:00 – Updated: 2024-08-05 12:40
VLAI
Summary
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106532 | vdb-entryx_refsource_BID |
| https://jenkins.io/security/advisory/2018-09-25/#… | x_refsource_CONFIRM |
Date Public
2018-09-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%281%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-28T00:00:00.000Z",
"datePublic": "2018-09-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-14T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%281%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-28T04:34:37.683653",
"ID": "CVE-2018-1000420",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106532"
},
{
"name": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000420",
"datePublished": "2019-01-09T23:00:00.000Z",
"dateReserved": "2019-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:46.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000421 (GCVE-0-2018-1000421)
Vulnerability from cvelistv5 – Published: 2019-01-09 23:00 – Updated: 2024-08-05 12:40
VLAI
Summary
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106532 | vdb-entryx_refsource_BID |
| https://jenkins.io/security/advisory/2018-09-25/#… | x_refsource_CONFIRM |
Date Public
2018-09-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%282%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-28T00:00:00.000Z",
"datePublic": "2018-09-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-14T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "106532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106532"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%282%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-28T04:34:37.684154",
"ID": "CVE-2018-1000421",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106532"
},
{
"name": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000421",
"datePublished": "2019-01-09T23:00:00.000Z",
"dateReserved": "2019-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:47.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8023 (GCVE-0-2018-8023)
Vulnerability from cvelistv5 – Published: 2018-09-21 13:00 – Updated: 2024-09-16 16:58
VLAI
Summary
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Severity
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/9b9d3f6bd09f… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0dd7ff197b2… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.4.2
Affected: 1.5.0, 1.5.1 Affected: 1.6.0 |
Date Public
2018-09-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.4.2"
},
{
"status": "affected",
"version": "1.5.0, 1.5.1"
},
{
"status": "affected",
"version": "1.6.0"
}
]
}
],
"datePublic": "2018-09-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-22T12:06:43.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-21T00:00:00",
"ID": "CVE-2018-8023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.4.2"
},
{
"version_value": "1.5.0, 1.5.1"
},
{
"version_value": "1.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3E"
},
{
"name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8023",
"datePublished": "2018-09-21T13:00:00.000Z",
"dateReserved": "2018-03-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:25.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1330 (GCVE-0-2018-1330)
Vulnerability from cvelistv5 – Published: 2018-09-13 19:00 – Updated: 2024-09-16 20:42
VLAI
Summary
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/395cb6bcf367… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
1.4.0 to 1.5.0
|
Date Public
2018-09-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.0 to 1.5.0"
}
]
}
],
"datePublic": "2018-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-13T18:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-09-13T00:00:00",
"ID": "CVE-2018-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "1.4.0 to 1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180913 CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1330",
"datePublished": "2018-09-13T19:00:00.000Z",
"dateReserved": "2017-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:42:57.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9790 (GCVE-0-2017-9790)
Vulnerability from cvelistv5 – Published: 2017-09-28 20:00 – Updated: 2024-09-16 22:14
VLAI
Summary
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/cc1e7a69ea78… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101023 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:01.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-9790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with \u0027/\u0027. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cc1e7a69ea78da0511f5b54b6be7aa6e3c78edad5aaff430e7de028b@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101023",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9790",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-06-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:14:23.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7687 (GCVE-0-2017-7687)
Vulnerability from cvelistv5 – Published: 2017-09-28 20:00 – Updated: 2024-09-16 16:43
VLAI
Summary
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
Severity
No CVSS data available.
CWE
- Denial of Service
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/2c9ed2b07c2b… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101027 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Mesos |
Affected:
versions prior to 1.1.3
Affected: 1.2.x before 1.2.2 Affected: 1.3.x before 1.3.1 Affected: 1.4.0-dev |
Date Public
2017-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.1.3"
},
{
"status": "affected",
"version": "1.2.x before 1.2.2"
},
{
"status": "affected",
"version": "1.3.x before 1.3.1"
},
{
"status": "affected",
"version": "1.4.0-dev"
}
]
}
],
"datePublic": "2017-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-29T09:57:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df%40%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-09-26T00:00:00",
"ID": "CVE-2017-7687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Mesos",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.1.3"
},
{
"version_value": "1.2.x before 1.2.2"
},
{
"version_value": "1.3.x before 1.3.1"
},
{
"version_value": "1.4.0-dev"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20170926 CVE-2017-7687: Libprocess might crash when decoding a malformed request.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2c9ed2b07c2b2831a11d21db3cf8408a71fcf2c300d73ca01bad89df@%3Cdev.mesos.apache.org%3E"
},
{
"name": "101027",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7687",
"datePublished": "2017-09-28T20:00:00.000Z",
"dateReserved": "2017-04-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:43:52.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}