x/vulndb: potential Go vuln in github.com/contribsys/faktory: CVE-2023-37279 #2067
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
zpavlinovic
added
the
excluded: EFFECTIVELY_PRIVATE
|
Vulnerability in tool. Although some packages indeed seem to be imported, the issue seems be in the |
|
Change https://go.dev/cl/530118 mentions this issue: |
|
Change https://go.dev/cl/592763 mentions this issue: |
|
Change https://go.dev/cl/606791 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-2051.yaml - data/reports/GO-2023-2053.yaml - data/reports/GO-2023-2055.yaml - data/reports/GO-2023-2063.yaml - data/reports/GO-2023-2065.yaml - data/reports/GO-2023-2066.yaml - data/reports/GO-2023-2067.yaml - data/reports/GO-2023-2068.yaml - data/reports/GO-2023-2069.yaml - data/reports/GO-2023-2070.yaml - data/reports/GO-2023-2071.yaml - data/reports/GO-2023-2072.yaml - data/reports/GO-2023-2073.yaml - data/reports/GO-2023-2075.yaml - data/reports/GO-2023-2078.yaml - data/reports/GO-2023-2079.yaml - data/reports/GO-2023-2080.yaml - data/reports/GO-2023-2084.yaml - data/reports/GO-2023-2085.yaml - data/reports/GO-2023-2088.yaml Updates #2051 Updates #2053 Updates #2055 Updates #2063 Updates #2065 Updates #2066 Updates #2067 Updates #2068 Updates #2069 Updates #2070 Updates #2071 Updates #2072 Updates #2073 Updates #2075 Updates #2078 Updates #2079 Updates #2080 Updates #2084 Updates #2085 Updates #2088 Change-Id: I0103dfe39411ae2cf3d74933349260db7dc3496b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606791 Commit-Queue: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-37279 references github.com/contribsys/faktory, which may be a Go module.
Description:
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param
days. The vulnerability is related to how the backend reads thedaysURL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. Version 1.8.0 fixes this issue.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: