CVE-2023-37279 – Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input
https://notcve.org/view.php?id=CVE-2023-37279
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. The vulnerability is related to how the backend reads the `days` URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. • https://github.com/contribsys/faktory/security/advisories/GHSA-x4hh-vjm7-g2jv • CWE-770: Allocation of Resources Without Limits or Throttling CWE-789: Memory Allocation with Excessive Size Value •
CVE-2023-26141 – sidekiq: DoS in dashboard-charts
https://notcve.org/view.php?id=CVE-2023-26141
Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests. Las versiones del paquete sidekiq anteriores a la 7.1.3 son vulnerables a la Denegación de Servicio (DoS) debido a comprobaciones insuficientes en el archivo dashboard-charts.js. Un atacante puede aprovechar esta vulnerabilidad manipulando el valor de localStorage, lo que provocará peticiones excesivas. A denial of service vulnerability was found in Sidekiq. • https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6 https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89 https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107 https://access.redhat.com/security/cve/CVE-2023-26141 https://bugzilla.redhat.com/show_bug.cgi?id=2239010 • CWE-345: Insufficient Verification of Data Authenticity CWE-400: Uncontrolled Resource Consumption •
CVE-2023-1892 – Cross-site Scripting (XSS) - Reflected in sidekiq/sidekiq
https://notcve.org/view.php?id=CVE-2023-1892
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8. • https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214 https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-23837 – sidekiq: WebUI Denial of Service caused by number of days on graph
https://notcve.org/view.php?id=CVE-2022-23837
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. En api.rb en Sidekiq antes de la versión 5.2.10 y 6.4.0, no hay límite en el número de días cuando se solicitan estadísticas para el gráfico. Esto sobrecarga el sistema, afectando a la interfaz web, y hace que no esté disponible para los usuarios A denial of service vulnerability was found in job scheduler sidekiq. An attacker can request statistics for the graph and, since there were no limits on the days parameter, overload the system, affecting the WebUI. • https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 https://github.com/rubysec/ruby-advisory-db/pull/495 https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html https://access.redhat.com/security/cve/CVE-2022-23837 https://bugzilla.redhat.com/show_bug.cgi?id=2044581 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-30151 – sidekiq: XSS via the queue name of the live-poll feature
https://notcve.org/view.php?id=CVE-2021-30151
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. Sidekiq versiones hasta 5.1.3 y versiones 6.x hasta 6.2.0, permite un ataque de tipo XSS por medio del nombre queue de la funcionalidad live-poll cuando es usado Internet Explorer A cross-site scripting vulnerability was found in sidekiq via the queue name of the live-poll feature. A potential attacker can impersonate or masquerade as the victim user using this vulnerability when Internet Explorer is used. • https://github.com/mperham/sidekiq/issues/4852 https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html https://access.redhat.com/security/cve/CVE-2021-30151 https://bugzilla.redhat.com/show_bug.cgi?id=2013503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •