<p>Upgrade <code>org.apache.mesos:mesos</code> to version 1.1.3-rc1, 1.2.2-rc1, 1.3.1-rc1 or higher.</p>

Improper Data Handling Affecting org.apache.mesos:mesos package, versions [,1.1.3-rc1) [1.2.0, 1.2.2-rc1) [1.3.0, 1.3.1-rc1)

Snyk CVSS

Attack Complexity Low

Availability High

Threat Intelligence

EPSS 0.08% (32^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEMESOS-3092937
published 26 Jan 2022
disclosed 29 Sep 2017
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 29 Sep 2017

CVE-2017-9790 Open this link in a new tab CWE-19 Open this link in a new tab

How to fix?

Upgrade org.apache.mesos:mesos to version 1.1.3-rc1, 1.2.2-rc1, 1.3.1-rc1 or higher.

Overview

org.apache.mesos:mesos is a The Apache Mesos Java API jar.

Affected versions of this package are vulnerable to Improper Data Handling. When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.