-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/contribsys/faktory: CVE-2023-37279 #2067
Comments
Vulnerability in tool. Although some packages indeed seem to be imported, the issue seems be in the |
Change https://go.dev/cl/530118 mentions this issue: |
Change https://go.dev/cl/592763 mentions this issue: |
Change https://go.dev/cl/606791 mentions this issue: |
- data/reports/GO-2023-2051.yaml - data/reports/GO-2023-2053.yaml - data/reports/GO-2023-2055.yaml - data/reports/GO-2023-2063.yaml - data/reports/GO-2023-2065.yaml - data/reports/GO-2023-2066.yaml - data/reports/GO-2023-2067.yaml - data/reports/GO-2023-2068.yaml - data/reports/GO-2023-2069.yaml - data/reports/GO-2023-2070.yaml - data/reports/GO-2023-2071.yaml - data/reports/GO-2023-2072.yaml - data/reports/GO-2023-2073.yaml - data/reports/GO-2023-2075.yaml - data/reports/GO-2023-2078.yaml - data/reports/GO-2023-2079.yaml - data/reports/GO-2023-2080.yaml - data/reports/GO-2023-2084.yaml - data/reports/GO-2023-2085.yaml - data/reports/GO-2023-2088.yaml Updates #2051 Updates #2053 Updates #2055 Updates #2063 Updates #2065 Updates #2066 Updates #2067 Updates #2068 Updates #2069 Updates #2070 Updates #2071 Updates #2072 Updates #2073 Updates #2075 Updates #2078 Updates #2079 Updates #2080 Updates #2084 Updates #2085 Updates #2088 Change-Id: I0103dfe39411ae2cf3d74933349260db7dc3496b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606791 Commit-Queue: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
CVE-2023-37279 references github.com/contribsys/faktory, which may be a Go module.
Description:
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param
days
. The vulnerability is related to how the backend reads thedays
URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: