Oban Web Uncontrolled Resource Consumption Vulnerability Leading to Memory Exhaustion

A vulnerability allowing uncontrolled resource consumption has been identified in the Oban Web package, specifically in versions 2.12.0 prior to 2.12.5. This vulnerability arises from unbounded expansion of cron range inputs, which can be exploited to cause memory exhaustion. An attacker with the ability to schedule cron jobs can submit a malicious cron expression, such as '0 0 1-100000000 * *'. When a user with dashboard access views the cron job list, the application processes the expression without proper validation, leading to excessive memory allocation of approximately 2.4 GB. This unregulated expansion stalls or crashes the BEAM node, disrupting service. The issue is rooted in the cron expression parser, which introduced the flaw by failing to validate range endpoints before processing.

Impact

Exploitation of this vulnerability causes the BEAM node to exhaust available memory, leading to a stall or crash of the application.

Reproduction

To reproduce this vulnerability, schedule a cron job using a malicious expression that includes an unbounded range, such as '0 0 1-100000000 * *'. Then, have a user with access to the Oban Web dashboard navigate to the cron job list. The dashboard will call the 'describe/1' function to render the cron expression, which triggers the memory exhaustion by eagerly expanding the range and causing the BEAM node to crash.

Remediation

Users can upgrade to Oban Web version 2.12.5 or later to address this vulnerability.