7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37279

GHSA ID

GHSA-x4hh-vjm7-g2jv

EPSS Score

0.64401%

CWE

CWE-770

Published

9/20/2023

Updated

11/12/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37279

CVE-2023-37279: Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input

Summary

Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days.

Details

The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash.

PoC

To reproduce this vulnerability, please follow these steps:

Start the Faktory Docker and limit memory usage to 512 megabytes for better demonstration:

$ docker run --rm -it -m 512m \
  -p 127.0.0.1:7419:7419 \
  -p 127.0.0.1:7420:7420 \
  contribsys/faktory:latest

Send the following request. The Faktory server will exit after a few seconds due to out of memory:

$ curl 'http://localhost:7420/?days=922337'

Impact

Server Availability: The vulnerability can crash the Faktory server, affecting its availability. Denial of Service Risk: Given that the Faktory web dashboard does not require authorization, any entity with internet access to the dashboard could potentially exploit this vulnerability. This unchecked access opens up the potential for a Denial of Service (DoS) attack, which could disrupt service availability without any conditional barriers to the attacker.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-37279

CVE-2023-37279:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37279

GHSA ID

GHSA-x4hh-vjm7-g2jv

EPSS Score

0.64401%

CWE

CWE-770

Published

9/20/2023

Updated

11/12/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/contribsys/faktory	go	< 1.8.0	1.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated use of the 'days' parameter in HTTP request handling. The PoC shows that a large 'days' value triggers OOM crashes, indicating the parameter is used to allocate memory (e.g., slice creation for date ranges). In Go web servers, query parameters are typically processed in HTTP handler functions. The lack of bounds checking before slice allocation aligns with CWE-770 and CWE-789. While the exact function name/path isn't explicitly provided in the advisory, the described behavior strongly points to the dashboard request handler as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-37279: Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input

Summary

Details

PoC

Impact

CVE-2023-37279:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37279: Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input

Summary

Details

PoC

Impact

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI