NotCVE - vendor:"Apache" product:"Mesos" version:"1.2.1"

3 results (0.002 seconds)

CVSS: 5.9EPSS: 2%CPEs: 4EXPL: 0

CVE-2018-8023

https://notcve.org/view.php?id=CVE-2018-8023

21 Sep 2018 — Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function return... • https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 0

CVE-2017-7687

https://notcve.org/view.php?id=CVE-2017-7687

28 Sep 2017 — When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Al gestionar un error de descodificación para una ruta URL malformada de una petición HTTP, libprocess en Apache Mesos en versiones anteriore... • http://www.securityfocus.com/bid/101027 •

CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 0

CVE-2017-9790

https://notcve.org/view.php?id=CVE-2017-9790

28 Sep 2017 — When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Cuando se procesa un mensaje libprocess contenido en una petición HTTP, libprocess en Apache Mesos en versiones anteriores... • http://www.securityfocus.com/bid/101023 • CWE-416: Use After Free •