61 matches found
CVE-2018-8023
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token JWT. In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timi...
Authentication flaw
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token JWT. In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timi...
CVE-2018-8023
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token JWT. In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timi...
CVE-2018-8023
The provided records confirm CVE-2018-8023 affects Apache Mesos: pre-1.4.2, 1.5.0, 1.5.1, and 1.6.0 have a timing-attack flaw in JWT HMAC verification due to using a non-constant-time string comparison. This may enable an attacker to deduce the correct HMAC value during JWT validation. Several co...
Apache Mesos libprocess Denial of Service Vulnerability
Apache Mesos is the United States Apache Apache Software Foundation of a set of support for Hadoop, ElasticSearch and Spark and other application architectures of open source cluster management software. libprocess is one of the underlying network communication libraries . A security vulnerabilit...
CVE-2018-1330
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a...
Code injection
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a...
CVE-2018-1330
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a...
CVE-2018-1330
When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a...
CVE-2017-9790
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore...
CVE-2017-9790
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore...
CVE-2017-7687
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of...
CVE-2017-7687
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of...
Cross site request forgery (csrf)
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore...
Path traversal
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of...
CVE-2017-9790
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore...
CVE-2017-9790
CVE-2017-9790 affects Apache Mesos’ libprocess: when handling a libprocess message wrapped in an HTTP request, the parser assumes the request path always starts with '/' and crashes if the path is empty. This can cause a denial of service on Mesos masters, rendering the Mesos-controlled cluster i...
CVE-2017-7687
The CVE-2017-7687 entry affects Apache Mesos where libprocess may crash while handling a decoding failure for a malformed URL path in an HTTP request. Affected are Mesos releases using libprocess prior to 1.1.3, 1.2.x prior to 1.2.2, 1.3.x prior to 1.3.1, and 1.4.0-dev. The root cause is that the...
CVE-2017-7687
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of...
Apache Mesos Denial of Service Vulnerability (CNVD-2017-33268)
Apache Mesos is open source cluster management software , support for Hadoop, ElasticSearch, Spark, Storm and Kafka application architecture. Apache Mesos has a security vulnerability that allows remote attackers to exploit requests submitted through the vulnerability and crash applications...