ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.1 (High)
PATCHED VERSIONS
- ~> 7.1.33
- >= 8.0.7
DESCRIPTION
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.
Details
Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
If your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths and query parameters are:
/sidekiq/changelogsfiltercount
/sidekiq/locksfiltercount
/sidekiq/expiring_locksfilter
Impact
This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.
Patches
The fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
RELATED
- https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
- https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc
- https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed
- https://nvd.nist.gov/vuln/detail/CVE-2024-25122
- https://github.com/advisories/GHSA-cmh9-rx85-xj38