When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
[
{
"product": "Apache Mesos",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.0 to 1.5.0"
}
]
}
]