2277678 – (CVE-2024-32887) CVE-2024-32887 ruby-sidekiq: Reflected XSS in Metrics Web Page

Bug 2277678 (CVE-2024-32887) - CVE-2024-32887 ruby-sidekiq: Reflected XSS in Metrics Web Page

Summary: CVE-2024-32887 ruby-sidekiq: Reflected XSS in Metrics Web Page

Keywords:
Status:	NEW
Alias:	CVE-2024-32887
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2277679 2277680
Blocks:	2277681
TreeView+	depends on / blocked

Reported:	2024-04-29 06:27 UTC by TEJ RATHI
Modified:	2024-06-22 08:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sidekiq 7.2.4
Doc Type:	If docs needed, set a value
Doc Text:	A reflected Cross-site scripting (XSS) vulnerability was found in Rubygem Sidekiq. The value of the substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit this to target the users of the Sidekiq Web UI and users of other applications deployed on the same domain or website as that of the Sidekiq website. This issue potentially compromises user accounts and data, forcing the users to perform sensitive actions that involve stealing sensitive data, performing CORS attacks, or defacement of the web application.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-04-29 06:27:20 UTC

Sidekiq has reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application.  An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
https://github.com/sidekiq/sidekiq/releases/tag/v7.2.4
https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq

Note You need to log in before you can comment on or make changes to this bug.