CVE-2018-8023 is a vulnerability in Apache Mesos
Published on September 21, 2018
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Products Associated with CVE-2018-8023
Want to know whenever a new CVE is published for Apache Mesos? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Mesos:- Version versions prior to 1.4.2 is affected.
- Version 1.5.0, 1.5.1 is affected.
- Version 1.6.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.