CVE-2018-8023

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-8023
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-8023.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-8023
Aliases
Published
2018-09-21T13:29:01Z
Modified
2024-10-12T04:07:49.665352Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard == operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

References

Affected packages

Git / github.com/apache/mesos

Affected ranges

Type
GIT
Repo
https://github.com/apache/mesos
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.14.0-rc1
0.15.0-rc1
0.16.0-rc1
0.17.0-rc1
0.18.0-rc1
0.19.0-rc1
0.20.0-rc1
0.21.0-rc1
0.22.0-rc1
0.23.0-rc1
0.24.0-rc1
0.27.0-rc1
0.28.0-rc1

1.*

1.0.0-rc1
1.0.0-rc2
1.2.0-rc1
1.4.0
1.4.0-rc1
1.4.0-rc2
1.4.0-rc3
1.4.0-rc4
1.4.0-rc5
1.4.1
1.4.1-rc1