5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-8023

GHSA ID

GHSA-c8cc-p3j7-4c7f

EPSS Score

0.84712%

CWE

CWE-200

Published

10/17/2018

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-8023

CVE-2018-8023: Moderate severity vulnerability that affects org.apache.mesos:mesos

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard == operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-8023

GHSA ID

GHSA-c8cc-p3j7-4c7f

EPSS Score

0.84712%

CWE

CWE-200

Published

10/17/2018

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.mesos:mesos	maven	< 1.4.2	1.4.2
org.apache.mesos:mesos	maven	>= 1.5.0, < 1.5.2	1.5.2
org.apache.mesos:mesos	maven	>= 1.6.0, < 1.6.1	1.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure JWT signature comparison in JWT::parse method. The patch shows the security fix replaced a direct string comparison operator ('==') with a constant-time comparison function. The original vulnerable code path in JWT::parse would appear in profilers during signature validation attempts, which is exactly where an attacker would trigger timing measurements. No other functions in the patch show security-sensitive comparisons.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** M*sos **n ** *on*i*ur** to r*quir* *ut**nti**tion to **ll t** *x**utor *TTP *PI usin* JSON W** Tok*n (JWT). In *p**** M*sos v*rsions pr*-*.*.*, *.*.*, *.*.*, *.*.* t** *omp*rison o* t** **n*r*t** *M** v*lu* ***inst t** provi*** si*n*tur* in t*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* JWT si*n*tur* *omp*rison in JWT::p*rs* m*t*o*. T** p*t** s*ows t** s**urity *ix r*pl**** * *ir**t strin* *omp*rison op*r*tor ('==') wit* * *onst*nt-tim* *omp*rison *un*tion. T** ori*in*l vuln*r**l* *o** p*t* in J

5.9

Basic Information

Concerned about an active attack path?

CVE-2018-8023: Moderate severity vulnerability that affects org.apache.mesos:mesos

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI