Search for packages
| purl | pkg:maven/org.apache.mesos/mesos@1.3.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1uq6-h79y-v3gs
Aliases: CVE-2018-8023 GHSA-c8cc-p3j7-4c7f |
Information Exposure Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos, the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-t39q-ds43-9kee
Aliases: CVE-2018-11793 GHSA-p2xq-vcm7-xjj6 |
Improper Restriction of Operations within the Bounds of a Memory Buffer When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos might overflow the stack due to unbounded recursion. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-669z-7etj-cugk | Use After Free When handling a libprocess message wrapped in an HTTP request, `libprocess` in Apache Mesos crashes if the request path is empty, because the parser assumes the request path always starts with `/`. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. |
CVE-2017-9790
GHSA-vpcv-78cp-whr3 |
| VCID-dyhh-befu-a3a3 | Uncontrolled Resource Consumption When handling a decoding failure for a malformed URL path of an HTTP request, `libprocess` in Apache Mesos might crash because the code accidentally calls inappropriate function. A malicious actor can cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. |
CVE-2017-7687
GHSA-x869-784m-jmj2 |