Lucene search

GoogleOSV:GHSA-H3R8-H5QW-4R35

HistoryApr 21, 2023 - 6:30 a.m.

sidekiq vulnerable to cross-site scripting

2023-04-2106:30:19

Google

osv.dev

sidekiq

vulnerability

cross-site scripting

reflected

fix

software

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

0.023 Low

EPSS

Percentile

89.7%

JSON

sidekiq from 7.0.4 to 7.0.7 is vulnerable to reflected cross-site scripting. A fix was released in version 7.0.8.

CPENameOperatorVersion
sidekiqeq7.0.6
sidekiqeq7.0.4
sidekiqeq7.0.5
sidekiqeq7.0.7

Name	Operator	Version
sidekiq	eq	7.0.6
sidekiq	eq	7.0.4
sidekiq	eq	7.0.5
sidekiq	eq	7.0.7

References

github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq/CVE-2023-1892.yml

github.com/sidekiq/sidekiq

github.com/sidekiq/sidekiq/blob/main/Changes.md#708

github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214

huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777

nvd.nist.gov/vuln/detail/CVE-2023-1892

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

0.023 Low

EPSS

Percentile

89.7%

JSON

Related for OSV:GHSA-H3R8-H5QW-4R35