RubySecRUBY:SIDEKIQ-UNIQUE-JOBS-2024-25122sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
AI Score
Confidence
High
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.
Details
Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs’ “admin” web UI,
allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link,
to successfully execute malicious code, which could potentially steal cookies, session data,
or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
If your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths and query parameters are:
/sidekiq/changelogsfiltercount
/sidekiq/locksfiltercount
/sidekiq/expiring_locksfilter
Impact
This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.
Patches
The fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ruby | sidekiq-unique-jobs | * | cpe:2.3:a:ruby:sidekiq-unique-jobs:*:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
AI Score
Confidence
High