Search for packages
| purl | pkg:maven/org.apache.mesos/mesos@1.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1uq6-h79y-v3gs
Aliases: CVE-2018-8023 GHSA-c8cc-p3j7-4c7f |
Information Exposure Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos, the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-32mt-mbwm-bbca
Aliases: CVE-2019-0204 GHSA-32w9-2qpc-5f9v |
Improper Input Validation A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos. A malicious actor can therefore gain root-level code execution on the host. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7juj-78y7-g7b6
Aliases: CVE-2019-5736 |
Containment Errors (Container Errors) runc allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to `/proc/self/exe`. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-httt-y1jd-1few
Aliases: CVE-2018-1330 GHSA-95q3-pppp-r683 |
Improper Input Validation When parsing a malformed JSON payload, libprocess in Apache Mesos crashes due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash because of the mistakenly planted assertion. |
Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-t39q-ds43-9kee
Aliases: CVE-2018-11793 GHSA-p2xq-vcm7-xjj6 |
Improper Restriction of Operations within the Bounds of a Memory Buffer When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos might overflow the stack due to unbounded recursion. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-669z-7etj-cugk | Use After Free When handling a libprocess message wrapped in an HTTP request, `libprocess` in Apache Mesos crashes if the request path is empty, because the parser assumes the request path always starts with `/`. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. |
CVE-2017-9790
GHSA-vpcv-78cp-whr3 |
| VCID-dyhh-befu-a3a3 | Uncontrolled Resource Consumption When handling a decoding failure for a malformed URL path of an HTTP request, `libprocess` in Apache Mesos might crash because the code accidentally calls inappropriate function. A malicious actor can cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. |
CVE-2017-7687
GHSA-x869-784m-jmj2 |