CVE-2018-8023

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-8023

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8023.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-8023

Aliases

GHSA-c8cc-p3j7-4c7f

Published

2018-09-21T13:29:01Z

Modified

2024-09-03T02:20:32.560888Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard == operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

References

Affected packages

Git / github.com/apache/mesos

Affected ranges

Type: GIT
Repo: https://github.com/apache/mesos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

612ec2c63a68b4d5b60d1d864e6703fde1c2a023

Affected versions

0.*

0.14.0-rc1

0.15.0-rc1

0.16.0-rc1

0.17.0-rc1

0.18.0-rc1

0.19.0-rc1

0.20.0-rc1

0.21.0-rc1

0.22.0-rc1

0.23.0-rc1

0.24.0-rc1

0.27.0-rc1

0.28.0-rc1

1.*

1.0.0-rc1

1.0.0-rc2

1.2.0-rc1

1.4.0

1.4.0-rc1

1.4.0-rc2

1.4.0-rc3

1.4.0-rc4

1.4.0-rc5

1.4.1

1.4.1-rc1