CVE-2024-32887

2024-04-2621:15:49

Debian Security Bug Tracker

security-tracker.debian.org

sidekiq

ruby

reflection xss

injection

exploit

compromise

patch

version 7.2.4

web ui

domain

sensitive data

cors

defacement

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

6.5

Confidence

High

EPSS

Percentile

15.5%

JSON

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

OSVersionArchitecturePackageVersionFilename
Debian12allruby-sidekiq< 6.4.1+dfsg-1ruby-sidekiq_6.4.1+dfsg-1_all.deb
Debian11allruby-sidekiq< 6.0.4+dfsg-2ruby-sidekiq_6.0.4+dfsg-2_all.deb
Debian999allruby-sidekiq< 7.3.2+dfsg-1ruby-sidekiq_7.3.2+dfsg-1_all.deb
Debian13allruby-sidekiq< 7.3.2+dfsg-1ruby-sidekiq_7.3.2+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ruby-sidekiq	< 6.4.1+dfsg-1	ruby-sidekiq_6.4.1+dfsg-1_all.deb
Debian	11	all	ruby-sidekiq	< 6.0.4+dfsg-2	ruby-sidekiq_6.0.4+dfsg-2_all.deb
Debian	999	all	ruby-sidekiq	< 7.3.2+dfsg-1	ruby-sidekiq_7.3.2+dfsg-1_all.deb
Debian	13	all	ruby-sidekiq	< 7.3.2+dfsg-1	ruby-sidekiq_7.3.2+dfsg-1_all.deb