Apache Software Foundation Apache Mesos vulnerabilities

5 known vulnerabilities affecting apache_software_foundation/apache_mesos.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2018-11793HIGHCVSS 7.5vApache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.02019-03-05
CVE-2018-11793 [HIGH] CWE-119 CVE-2018-11793: When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
cvelistv5nvd
CVE-2018-8023MEDIUMCVSS 5.9vversions prior to 1.4.2v1.5.0, 1.5.1+1 more2018-09-21
CVE-2018-8023 [MEDIUM] CWE-200 CVE-2018-8023: Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON We Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string co
cvelistv5nvd
CVE-2018-1330HIGHCVSS 7.5v1.4.0 to 1.5.02018-09-13
CVE-2018-1330 [HIGH] CWE-20 CVE-2018-1330: When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might cras When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-contr
cvelistv5nvd
CVE-2017-9790HIGHCVSS 7.5vversions prior to 1.1.3v1.2.x before 1.2.2+2 more2017-09-29
CVE-2017-9790 [HIGH] CWE-416 CVE-2017-9790: When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1 When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Me
cvelistv5nvd
CVE-2017-7687HIGHCVSS 7.5vversions prior to 1.1.3v1.2.x before 1.2.2+2 more2017-09-29
CVE-2017-7687 [HIGH] CVE-2017-7687: When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache M When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inop
cvelistv5nvd