CVE-2023-37279 Information
Description
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0 the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days. The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue.
Reference
https://github.com/contribsys/faktory/security/advisories/GHSA-x4hh-vjm7-g2jv
Faktory
is
a
language-agnostic
persistent
background
job
server.
Prior
to
version
1.8.0
the
Faktory
web
dashboard
can
suffer
from
denial
of
service
by
a
crafted
malicious
url
query
param
days.
The
vulnerability
is
related
to
how
the
backend
reads
the
days
URL
query
parameter
in
the
Faktory
web
dashboard.
The
value
is
used
directly
without
any
checks
to
create
a
string
slice.
If
a
very
large
value
is
provided
the
backend
server
ends
up
using
a
significant
amount
of
memory
and
causing
it
to
crash.
Version
1.8.0
fixes
this
issue.