Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/contribsys/faktory: CVE-2023-37279 #2067

Closed
GoVulnBot opened this issue Sep 20, 2023 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/contribsys/faktory: CVE-2023-37279 #2067

GoVulnBot opened this issue Sep 20, 2023 · 4 comments
Assignees
@zpavlinovic
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-37279 references github.com/contribsys/faktory, which may be a Go module.

Description:
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days. The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/contribsys/faktory
      vulnerable_at: 1.8.0
      packages:
        - package: faktory
description: |-
    Faktory is a language-agnostic persistent background job server. Prior to
    version 1.8.0, the Faktory web dashboard can suffer from denial of service by a
    crafted malicious url query param `days`. The vulnerability is related to how
    the backend reads the `days` URL query parameter in the Faktory web dashboard.
    The value is used directly without any checks to create a string slice. If a
    very large value is provided, the backend server ends up using a significant
    amount of memory and causing it to crash. Version 1.8.0 fixes this issue.
cves:
    - CVE-2023-37279
references:
    - advisory: https://github.com/contribsys/faktory/security/advisories/GHSA-x4hh-vjm7-g2jv
@zpavlinovic zpavlinovic self-assigned this Sep 21, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Sep 21, 2023
@zpavlinovic
Copy link
Contributor

Vulnerability in tool. Although some packages indeed seem to be imported, the issue seems be in the webui package that is never imported, yet only cloned.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/530118 mentions this issue: data/excluded: batch add 7 excluded reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592763 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606791 mentions this issue: data/reports: unexclude 20 reports (11)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (11)
36a46d8 
  - data/reports/GO-2023-2051.yaml
  - data/reports/GO-2023-2053.yaml
  - data/reports/GO-2023-2055.yaml
  - data/reports/GO-2023-2063.yaml
  - data/reports/GO-2023-2065.yaml
  - data/reports/GO-2023-2066.yaml
  - data/reports/GO-2023-2067.yaml
  - data/reports/GO-2023-2068.yaml
  - data/reports/GO-2023-2069.yaml
  - data/reports/GO-2023-2070.yaml
  - data/reports/GO-2023-2071.yaml
  - data/reports/GO-2023-2072.yaml
  - data/reports/GO-2023-2073.yaml
  - data/reports/GO-2023-2075.yaml
  - data/reports/GO-2023-2078.yaml
  - data/reports/GO-2023-2079.yaml
  - data/reports/GO-2023-2080.yaml
  - data/reports/GO-2023-2084.yaml
  - data/reports/GO-2023-2085.yaml
  - data/reports/GO-2023-2088.yaml

Updates #2051
Updates #2053
Updates #2055
Updates #2063
Updates #2065
Updates #2066
Updates #2067
Updates #2068
Updates #2069
Updates #2070
Updates #2071
Updates #2072
Updates #2073
Updates #2075
Updates #2078
Updates #2079
Updates #2080
Updates #2084
Updates #2085
Updates #2088

Change-Id: I0103dfe39411ae2cf3d74933349260db7dc3496b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606791
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot