CVE-2018-1330

When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
apachemesos
1.4.0 ≤
𝑥
< 1.4.2
apachemesos
1.5.0 ≤
𝑥
< 1.5.1
apachemesos
1.4.0:rc1
apachemesos
1.4.0:rc2
apachemesos
1.4.0:rc3
apachemesos
1.4.0:rc4
apachemesos
1.4.0:rc5
apachemesos
1.6.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E
https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde%40%3Cdev.mesos.apache.org%3E