CVE-2022-23837 (sidekiq): Denial of service in sidekiq

Denial of service in sidekiq

Published: January 27, 2022

SECURITY IDENTIFIERS

CVE: CVE-2022-23837 (NVD)
GHSA: GHSA-jrfj-98qg-qjgv
Vendor Advisory: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956

GEM

sidekiq

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

>= 6.4.0 ~> 5.2.10

DESCRIPTION

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md

RubySec