Improper Data Handling Affecting org.apache.mesos:mesos package, versions [,1.1.3-rc1) [1.2.0, 1.2.2-rc1) [1.3.0, 1.3.1-rc1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEMESOS-3092937
- published 26 Jan 2022
- disclosed 29 Sep 2017
- credit Unknown
Introduced: 29 Sep 2017
CVE-2017-9790 Open this link in a new tabHow to fix?
Upgrade org.apache.mesos:mesos
to version 1.1.3-rc1, 1.2.2-rc1, 1.3.1-rc1 or higher.
Overview
org.apache.mesos:mesos is a The Apache Mesos Java API jar.
Affected versions of this package are vulnerable to Improper Data Handling. When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.