github - ghsa-jrfj-98qg-qjgv

ghsa-jrfj-98qg-qjgv

Vulnerability from github

Published

2022-01-27 14:42

Modified

2023-01-24 15:46

Severity

7.5 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Denial of service in sidekiq

Details

In api.rb in Sidekiq before 6.4.0 and 5.2.10, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sidekiq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sidekiq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-24T22:50:23Z",
    "nvd_published_at": "2022-01-21T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "In `api.rb` in Sidekiq before 6.4.0 and 5.2.10, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.",
  "id": "GHSA-jrfj-98qg-qjgv",
  "modified": "2023-01-24T15:46:01Z",
  "published": "2022-01-27T14:42:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mperham/sidekiq"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in sidekiq"
}

cve-2022-23837

Vulnerability from cvelistv5

Published

2022-01-21 00:00

Modified

2024-08-03 03:51

Severity

Summary

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

References

URL	Tags
https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md
https://github.com/rubysec/ruby-advisory-db/pull/495
https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html	mailing-list
https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html	mailing-list

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:45.990Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
          },
          {
            "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
          },
          {
            "name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-12T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
        },
        {
          "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
        },
        {
          "url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
        },
        {
          "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
        },
        {
          "name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23837",
    "datePublished": "2022-01-21T00:00:00",
    "dateReserved": "2022-01-21T00:00:00",
    "dateUpdated": "2024-08-03T03:51:45.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

gsd-2022-23837

Vulnerability from gsd

Modified

2022-01-27 00:00

Details

Aliases

CVE-2022-23837

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23837",
    "description": "In api.rb in Sidekiq before 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.",
    "id": "GSD-2022-23837",
    "references": [
      "https://access.redhat.com/errata/RHSA-2022:5498"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "sidekiq",
            "purl": "pkg:gem/sidekiq"
          }
        }
      ],
      "aliases": [
        "CVE-2022-23837",
        "GHSA-jrfj-98qg-qjgv"
      ],
      "details": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of\ndays when requesting stats for the graph. This overloads the system, affecting the\nWeb UI, and makes it unavailable to users.\n",
      "id": "GSD-2022-23837",
      "modified": "2022-01-27T00:00:00.000Z",
      "published": "2022-01-27T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
        },
        {
          "type": "WEB",
          "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.0,
          "type": "CVSS_V2"
        },
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Denial of service in sidekiq"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-23837",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956",
            "refsource": "MISC",
            "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
          },
          {
            "name": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md",
            "refsource": "MISC",
            "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
          },
          {
            "name": "https://github.com/rubysec/ruby-advisory-db/pull/495",
            "refsource": "MISC",
            "url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
          },
          {
            "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
          },
          {
            "name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-23837",
      "cvss_v2": 5.0,
      "cvss_v3": 7.5,
      "date": "2022-01-27",
      "description": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of\ndays when requesting stats for the graph. This overloads the system, affecting the\nWeb UI, and makes it unavailable to users.\n",
      "gem": "sidekiq",
      "ghsa": "jrfj-98qg-qjgv",
      "patched_versions": [
        "\u003e= 6.4.0",
        "~\u003e 5.2.10"
      ],
      "related": {
        "url": [
          "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
        ]
      },
      "title": "Denial of service in sidekiq",
      "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c5.2.10||\u003e=6.0.0 \u003c6.4.0",
          "affected_versions": "All versions before 5.2.10, all versions starting from 6.0.0 before 6.4.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2023-03-13",
          "description": "In api.rb in Sidekiq, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.",
          "fixed_versions": [
            "5.2.10",
            "6.4.0"
          ],
          "identifier": "CVE-2022-23837",
          "identifiers": [
            "CVE-2022-23837"
          ],
          "not_impacted": "All versions starting from 5.2.10 before 6.0.0, all versions starting from 6.4.0",
          "package_slug": "gem/sidekiq",
          "pubdate": "2022-01-21",
          "solution": "Upgrade to versions 5.2.10, 6.4.0 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23837",
            "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956",
            "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
          ],
          "uuid": "2a68d39f-3108-470b-a430-33efdcfd458b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.10",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.4.0",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-23837"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
            },
            {
              "name": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
            },
            {
              "name": "https://github.com/rubysec/ruby-advisory-db/pull/495",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
            },
            {
              "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
            },
            {
              "name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-03-13T00:15Z",
      "publishedDate": "2022-01-21T21:15Z"
    }
  }
}

Action not permitted

ghsa-jrfj-98qg-qjgv

Vulnerability from github

cve-2022-23837

Vulnerability from cvelistv5

gsd-2022-23837

Vulnerability from gsd

Tags