Apache Software Foundation Mesos 1.5.1 Release Candidate 1

CPE Details

Apache Software Foundation Mesos 1.5.1 Release Candidate 1
1.5.1
2019-03-06
15h12 +00:00
2019-03-06
15h12 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:apache:mesos:1.5.1:rc1:*:*:*:*:*:*

Informations

Vendor

apache

Product

mesos

Version

1.5.1

Update

rc1

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2019-0204 2019-03-25 20h43 +00:00 A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
7.8
High
CVE-2018-11793 2019-03-05 21h00 +00:00 When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
7.5
High
CVE-2019-5736 2019-02-10 23h00 +00:00 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
8.6
High
CVE-2018-8023 2018-09-21 13h00 +00:00 Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
5.9
Medium