Miggo Logo
Miggo Vulnerability Database
CVE-2017-7687

CVE-2017-7687: Denial of service in Apache Mesos

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-7687
GHSA ID
GHSA-x869-784m-jmj2
EPSS Score
0.83455%
CWE
-
Published
5/13/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.mesos:mesosmaven< 1.1.31.1.3
org.apache.mesos:mesosmaven>= 1.2.0, < 1.2.21.2.2
org.apache.mesos:mesosmaven>= 1.3.0, < 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch modifies the error handling in the request parsing function where URL path decoding failures are processed. The vulnerable code called Try<string>::get() (which crashes on error) instead of Try<string>::error() to retrieve the error message. This function is the direct entry point for processing HTTP requests in libprocess, making it appear in stack traces when malformed URLs trigger decoding failures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n **n*lin* * ***o*in* **ilur* *or * m*l*orm** URL p*t* o* *n *TTP r*qu*st, li*pro**ss in *p**** M*sos mi**t *r*s* ****us* t** *o** ***i**nt*lly **lls in*ppropri*t* *un*tion. * m*li*ious **tor **n t**r**or* **us* * **ni*l o* s*rvi** o* M*sos m*st*r

Reasoning

T** p*t** mo*i*i*s t** *rror **n*lin* in t** r*qu*st p*rsin* `*un*tion` w**r* URL p*t* ***o*in* **ilur*s *r* pro**ss**. T** vuln*r**l* *o** **ll** `Try<strin*>::**t()` (w*i** *r*s**s on *rror) inst*** o* `Try<strin*>::*rror()` to r*tri*v* t** *rror m