CVE-2017-9790

CWE-416 — Use After Free6 documents5 sources

Severity

7.5HIGH

EPSS

2.1%

top 15.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Mesos Apache Software Foundation Apache Mesos

Timeline

PublishedSep 29

Latest updateMay 13

Description

When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.mesos:mesos1.2.0 — 1.2.2+2

▶NVDapache/mesos1.1.2+5

▶CVEListV5apache_software_foundation/apache_mesos4 versions+3

🔴Vulnerability Details

OSV

Use after free in Apache Mesos↗2022-05-13

▶

GHSA

Use after free in Apache Mesos↗2022-05-13

▶

CVEList

CVE-2017-9790: When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1↗2017-09-28

▶

💬Community

Bugzilla

CVE-2017-9790 CVE-2017-7687 mesos: Multiple security issues↗2017-09-27

▶

Bugzilla

CVE-2017-7687 CVE-2017-9790 mesos: Multiple security issues [fedora-all]↗2017-09-27

▶