VYPR
High severity7.5NVD Advisory· Published Sep 29, 2017· Updated Jun 17, 2026

CVE-2017-9790

CVE-2017-9790

Description

When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.mesos:mesosMaven
< 1.1.31.1.3
org.apache.mesos:mesosMaven
>= 1.2.0, < 1.2.21.2.2
org.apache.mesos:mesosMaven
>= 1.3.0, < 1.3.11.3.1

Affected products

8
  • Apache/Mesos6 versions
    cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*range: <=1.1.2
    • cpe:2.3:a:apache:mesos:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:mesos:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:mesos:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:mesos:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:mesos:1.4.0-dev:*:*:*:*:*:*:*
  • ghsa-coords
    Range: < 1.1.3
  • Apache Software Foundation/Apache Mesosv5
    Range: versions prior to 1.1.3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.