{ "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-09-21T00:00:00", "ID": "CVE-2018-8023", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Mesos", "version": { "version_data": [ { "version_value": "versions prior to 1.4.2" }, { "version_value": "1.5.0, 1.5.1" }, { "version_value": "1.6.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "[dev] 20180921 CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3E" }, { "refsource": "MLIST", "name": "[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version", "url": "https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3E" } ] } }