CVE-2022-23837
sidekiq: WebUI Denial of Service caused by number of days on graph
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
En api.rb en Sidekiq antes de la versión 5.2.10 y 6.4.0, no hay límite en el número de días cuando se solicitan estadísticas para el gráfico. Esto sobrecarga el sistema, afectando a la interfaz web, y hace que no esté disponible para los usuarios
A denial of service vulnerability was found in job scheduler sidekiq. An attacker can request statistics for the graph and, since there were no limits on the days parameter, overload the system, affecting the WebUI.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-21 CVE Reserved
- 2022-01-21 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 | 2023-03-13 | |
| https://github.com/rubysec/ruby-advisory-db/pull/495 | 2023-03-13 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-23837 | 2022-07-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2044581 | 2022-07-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Contribsys Search vendor "Contribsys" | Sidekiq Search vendor "Contribsys" for product "Sidekiq" | < 5.2.10 Search vendor "Contribsys" for product "Sidekiq" and version " < 5.2.10" | - |
Affected
| ||||||
| Contribsys Search vendor "Contribsys" | Sidekiq Search vendor "Contribsys" for product "Sidekiq" | >= 6.0.0 < 6.4.0 Search vendor "Contribsys" for product "Sidekiq" and version " >= 6.0.0 < 6.4.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||