high
7.5
CWE
770 789
Advisory Published
Advisory Published
Updated

CVE-2023-37279: Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input

First published: Wed Sep 20 2023(Updated: )

### Summary Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. ### Details The vulnerability is related to how the backend reads the `days` URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. ### PoC To reproduce this vulnerability, please follow these steps: Start the Faktory Docker and limit memory usage to 512 megabytes for better demonstration: ``` $ docker run --rm -it -m 512m \ -p 127.0.0.1:7419:7419 \ -p 127.0.0.1:7420:7420 \ contribsys/faktory:latest ``` Send the following request. The Faktory server will exit after a few seconds due to out of memory: ``` $ curl 'http://localhost:7420/?days=922337' ``` ### Impact **Server Availability**: The vulnerability can crash the Faktory server, affecting its availability. **Denial of Service Risk**: Given that the Faktory web dashboard does not require authorization, any entity with internet access to the dashboard could potentially exploit this vulnerability. This unchecked access opens up the potential for a Denial of Service (DoS) attack, which could disrupt service availability without any conditional barriers to the attacker.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Contribsys Faktory<1.8.0
go/github.com/contribsys/faktory<1.8.0
1.8.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-37279?

    CVE-2023-37279 is a vulnerability in the Faktory web dashboard that can lead to denial of service by a crafted malicious URL query parameter.

  • What is the severity of CVE-2023-37279?

    CVE-2023-37279 has a severity rating of high, with a CVSS score of 7.5.

  • How can the Faktory web dashboard be affected by CVE-2023-37279?

    The Faktory web dashboard can be affected by CVE-2023-37279 if a crafted malicious URL query parameter 'days' is used.

  • What is the affected software version of CVE-2023-37279?

    The affected software version of CVE-2023-37279 is Faktory version before 1.8.0.

  • How can I fix CVE-2023-37279?

    To fix CVE-2023-37279, update Faktory to version 1.8.0 or higher.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203