Miggo Logo
Miggo Vulnerability Database
CVE-2018-11793

CVE-2018-11793: Stack Overflow in Apache Mesos

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-11793
GHSA ID
GHSA-p2xq-vcm7-xjj6
EPSS Score
0.88336%
CWE
CWE-119
Published
3/6/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.mesos:mesosmaven< 1.4.31.4.3
org.apache.mesos:mesosmaven>= 1.5.0, < 1.5.21.5.2
org.apache.mesos:mesosmaven>= 1.6.0, < 1.6.21.6.2
org.apache.mesos:mesosmaven= 1.7.01.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from picojson's recursive parsing without depth limits. The patch adds depth counters in both default_parse_context and null_parse_context, modifying their parse_array_start/parse_object_start methods. These functions would appear repeatedly in stack traces during exploitation of deep JSON nesting. The explicit addition of depth checks in these specific methods indicates they were the recursion points causing stack overflows in unpatched versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n p*rsin* * JSON p*ylo** wit* ***ply n*st** JSON stru*tur*s, t** p*rs*r in *p**** M*sos v*rsions pr*-*.*.x, *.*.* to *.*.*, *.*.* to *.*.*, *.*.* to *.*.*, *n* *.*.* mi**t ov*r*low t** st**k *u* to un*oun*** r**ursion. * m*li*ious **tor **n t**r**

Reasoning

T** vuln*r**ility st*ms *rom pi*ojson's r**ursiv* p*rsin* wit*out **pt* limits. T** p*t** ***s **pt* *ount*rs in *ot* ****ult_p*rs*_*ont*xt *n* null_p*rs*_*ont*xt, mo*i*yin* t**ir p*rs*_*rr*y_st*rt/p*rs*_o*j**t_st*rt m*t*o*s. T**s* *un*tions woul* *p