CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000420
https://notcve.org/view.php?id=CVE-2018-1000420
09 Jan 2019 — An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins. Existe una vulnerabilidad de autorización incorrecta en el plugin Jenkins Mesos, en versiones 0.17.1 y anteriores, en MesosCloud.java, que permite que un atacante con acceso Overall/Read recupere ID de credenciales para las credenciales almacenadas en Jenkins. • http://www.securityfocus.com/bid/106532 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000421
https://notcve.org/view.php?id=CVE-2018-1000421
09 Jan 2019 — An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Existe una vulnerabilidad de autorización incorrecta en el plugin Jenkins Mesos, en versiones 0.17.1 y anteriores, en MesosCloud.java, que permite que los atacantes con acces... • http://www.securityfocus.com/bid/106532 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.9EPSS: 2%CPEs: 4EXPL: 0CVE-2018-8023
https://notcve.org/view.php?id=CVE-2018-8023
21 Sep 2018 — Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function return... • https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 0CVE-2017-7687
https://notcve.org/view.php?id=CVE-2017-7687
28 Sep 2017 — When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Al gestionar un error de descodificación para una ruta URL malformada de una petición HTTP, libprocess en Apache Mesos en versiones anteriore... • http://www.securityfocus.com/bid/101027 •
CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 0CVE-2017-9790
https://notcve.org/view.php?id=CVE-2017-9790
28 Sep 2017 — When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Cuando se procesa un mensaje libprocess contenido en una petición HTTP, libprocess en Apache Mesos en versiones anteriores... • http://www.securityfocus.com/bid/101023 • CWE-416: Use After Free •