CVE-2018-1330

When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

Published: Sep 13, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-1330
GHSA: GHSA-95q3-pppp-r683
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / mesos	1.4.0	1.4.2
apache / mesos	1.5.0	1.5.1
apache / mesos	1.4.0-rc1	1.4.0-rc1.x
apache / mesos	1.4.0-rc2	1.4.0-rc2.x
apache / mesos	1.4.0-rc3	1.4.0-rc3.x
apache / mesos	1.4.0-rc4	1.4.0-rc4.x
apache / mesos	1.4.0-rc5	1.4.0-rc5.x
apache / mesos	1.6.0-rc1	1.6.0-rc1.x
org.apache.mesos / mesos	1.4.0	1.6.0

Vulnerability Database

289,697

CVE-2018-1330