{"containers": {"cna": {"affected": [{"product": "Apache Mesos", "vendor": "Apache", "versions": [{"status": "affected", "version": "pre-1.4.x"}, {"status": "affected", "version": "1.4.0 to 1.4.2"}, {"status": "affected", "version": "1.5.0 to 1.5.2"}, {"status": "affected", "version": "1.6.0 to 1.6.1"}, {"status": "affected", "version": "1.7.0 to 1.7.1"}]}], "datePublic": "2019-03-23T00:00:00", "descriptions": [{"lang": "en", "value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-14T23:06:47", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"}, {"name": "107605", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107605"}, {"name": "RHSA-2019:3892", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-0204", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Mesos", "version": {"version_data": [{"version_value": "pre-1.4.x"}, {"version_value": "1.4.0 to 1.4.2"}, {"version_value": "1.5.0 to 1.5.2"}, {"version_value": "1.6.0 to 1.6.1"}, {"version_value": "1.7.0 to 1.7.1"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E"}, {"name": "107605", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107605"}, {"name": "RHSA-2019:3892", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3892"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:14.728Z"}, "title": "CVE Program Container", "references": [{"name": "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"}, {"name": "107605", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107605"}, {"name": "RHSA-2019:3892", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0204", "datePublished": "2019-03-25T21:43:04", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2024-08-04T17:44:14.728Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA0695E0-954A-4533-9D93-58257E9EA6D5", "versionEndExcluding": "1.4.3", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "matchCriteriaId": "B51B8DF0-FCE4-42A7-A582-0476226C6188", "versionEndExcluding": "1.5.3", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "matchCriteriaId": "01878119-E05A-469B-B49D-5D19082CED28", "versionEndExcluding": "1.6.2", "versionStartIncluding": "1.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "matchCriteriaId": "1AB1BB7C-46A1-4676-9D15-D75EC1E4594C", "versionEndExcluding": "1.7.2", "versionStartIncluding": "1.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mesos:1.8.0:dev:*:*:*:*:*:*", "matchCriteriaId": "E5262F5B-F30B-42AF-9D48-77041AC709AB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:fuse:7.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "ECF2CBAC-69B9-41A5-9999-6C07090A6204", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host."}, {"lang": "es", "value": "Una imagen Docker especialmente manipulada que se ejecuta bajo un usuario root puede sobrescribir el binario init helper del tiempo de ejecuci\u00f3n del contenedor y/o del ejecutor de comandos en Apache Mesos, en versiones pre-1.4.x, de 1.4.0 a 1.4.2, de 1.5.0 a 1.5.2, de 1.6.0 a 1.6.1 y de 1.7.0 a 1.7.1. Un actor malicioso puede, por lo tanto, lograr la ejecuci\u00f3n de c\u00f3digo de nivel root en el host."}], "id": "CVE-2019-0204", "lastModified": "2024-11-21T04:16:28.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-25T22:29:00.730", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107605"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107605"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:3892", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "mesos", "product_name": "Red Hat Fuse 7.5.0", "release_date": "2019-11-14T00:00:00Z"}], "bugzilla": {"description": "mesos: docker image code execution", "id": "1692755", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692755"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-250", "details": ["A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.", "A flaw was found in Docker image running under root user, where it is possible to overwrite the init helper binary of the container runtime or the command executor in Apache Mesos. A malicious user could use this flaw to gain root-level code execution on the host."], "name": "CVE-2019-0204", "public_date": "2019-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-0204\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0204"], "threat_severity": "Important", "upstream_fix": "Apache Mesos 1.4.3, Apache Mesos 1.5.3, Apache Mesos 1.6.2, Apache Mesos 1.7.2, Apache Mesos 1.8.0"}