CVE-2022-23837

Published: Jan 21, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

Affected (3)

Products: Contribsys: Sidekiq · Debian: Debian Linux

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Contribsys Sidekiq	Before 5.2.10
Contribsys Sidekiq	From 6.0.0 to 6.4.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (10)

https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/rubysec/ruby-advisory-db/pull/495

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html

Source: cve@mitre.org

https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md