CVE-2018-8023

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Configurations

Configuration 1

cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:mesos:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:mesos:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*

Information

Published : 2018-09-21 01:29

Updated : 2020-10-22 01:15


NVD link : CVE-2018-8023

Mitre link : CVE-2018-8023

Products Affected
No products.
CWE