CVE-2018-11793

When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

Published: Mar 5, 2019
Updated: Nov 8, 2023
CVE: CVE-2018-11793
GHSA: GHSA-p2xq-vcm7-xjj6
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
apache / mesos	1.4.0-rc1	1.4.0-rc1.x
apache / mesos	1.4.0-rc2	1.4.0-rc2.x
apache / mesos	1.4.0-rc3	1.4.0-rc3.x
apache / mesos	1.4.0-rc4	1.4.0-rc4.x
apache / mesos	1.4.0-rc5	1.4.0-rc5.x
apache / mesos	1.4.0	1.4.3
apache / mesos	1.5.0	1.5.2
apache / mesos	1.6.0	1.6.2
apache / mesos	1.7.0	1.7.1
apache / mesos	1.8.0-dev	1.8.0-dev.x
org.apache.mesos / mesos	-	1.4.3
org.apache.mesos / mesos	1.5.0	1.5.2
org.apache.mesos / mesos	1.6.0	1.6.2
org.apache.mesos / mesos	1.7.0	1.7.0.x
org.apache.mesos / mesos	1.7.0	1.7.1

Vulnerability Database

289,697

CVE-2018-11793