Mesos Security Vulnerabilities and Issues — Mesos CVE List

ApacheMesos

9 matches found

CVE•added 2019/02/11 12:0 a.m.•765 views

CVE-2019-5736

CVE-2019-5736 affects runc as shipped in Docker before 18.09.2 and other products, enabling a container to overwrite the host runc binary via /proc/self/exe and gain host root. Root cause: file-descriptor mishandling in runc leading to command execution as root inside a container. Affected versio...

9.3CVSS8.8AI score0.55296EPSS

In wild

CVE•added 2019/03/25 9:43 p.m.•215 views

CVE-2019-0204

CVE-2019-0204 affects Apache Mesos (pre-1.4.x, and 1.4.0–1.4.2, 1.5.0–1.5.2, 1.6.0–1.6.1, 1.7.0–1.7.1). A crafted Docker image run as root can overwrite the container runtime init helper binary and/or the Mesos command executor, enabling root-level code execution on the host. Public records in th...

9.3CVSS7.9AI score0.00176EPSS

In wild

CVE•added 2019/03/05 9:0 p.m.•86 views

CVE-2018-11793

Apache Mesos is affected in versions pre-1.4.x and specific 1.4.x/1.5.x/1.6.x/1.7.0 branches. The issue is an unbounded recursion during parsing of deeply nested JSON payloads, which can overflow the stack and cause a denial of service/crash of Mesos masters. The impact is DoS rendering the clust...

7.5CVSS7.3AI score0.04871EPSS

CVE•added 2018/09/21 1:0 p.m.•82 views

CVE-2018-8023

The provided records confirm CVE-2018-8023 affects Apache Mesos: pre-1.4.2, 1.5.0, 1.5.1, and 1.6.0 have a timing-attack flaw in JWT HMAC verification due to using a non-constant-time string comparison. This may enable an attacker to deduce the correct HMAC value during JWT validation. Several co...

5.9CVSS5.6AI score0.00783EPSS

CVE•added 2018/09/13 7:0 p.m.•81 views

CVE-2018-1330

CVE-2018-1330 affects Apache Mesos (libprocess) with versions 1.4.0–1.5.0. The issue stems from parsing a malformed JSON payload and an assertion in chunked HTTP trailer handling, leading to an uncaught exception and a crash. The documented impact is a denial of service that renders Mesos masters...

7.5CVSS7.5AI score0.02109EPSS

CVE•added 2017/09/28 8:0 p.m.•72 views

CVE-2017-7687

The CVE-2017-7687 entry affects Apache Mesos where libprocess may crash while handling a decoding failure for a malformed URL path in an HTTP request. Affected are Mesos releases using libprocess prior to 1.1.3, 1.2.x prior to 1.2.2, 1.3.x prior to 1.3.1, and 1.4.0-dev. The root cause is that the...

7.5CVSS7.5AI score0.03234EPSS

CVE•added 2017/09/28 8:0 p.m.•70 views

CVE-2017-9790

CVE-2017-9790 affects Apache Mesos’ libprocess: when handling a libprocess message wrapped in an HTTP request, the parser assumes the request path always starts with '/' and crashes if the path is empty. This can cause a denial of service on Mesos masters, rendering the Mesos-controlled cluster i...

7.5CVSS7.4AI score0.02141EPSS

CVE•added 2019/01/09 11:0 p.m.•58 views

CVE-2018-1000420

CVE-2018-1000420 affects the Jenkins Mesos Plugin up to and including version 0.17.1, where MesosCloud.java contains an improper authorization flaw. The issue allows attackers with Overall/Read access to retrieve credentials IDs for credentials stored in Jenkins, exposing sensitive credential ref...

6.5CVSS6.3AI score0.00221EPSS

CVE•added 2019/01/09 11:0 p.m.•50 views

CVE-2018-1000421

CVE-2018-1000421 affects Jenkins Mesos Plugin up to version 0.17.1. The root cause is an improper authorization in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to a attacker-specified Mesos server using attacker-specified credentials IDs, enabling e...

6.5CVSS6.3AI score0.00326EPSS