VDB
CVE-2022-23837
CVE-2022-23837
PUBLISHED
CVSS 7.5 HIGH
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
EPSS 0.75% · 73.5th percentile
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.75%
73.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| RubyGems | sidekiq | 6.0.0, 0 |
| debian | debian_linux | 9.0 |
| contribsys | sidekiq | 0, 6.0.0 |
Exploit Intelligence
- CIRCL seen: CVE-2022-23837 (circl-sighting)
- CIRCL seen: CVE-2022-23837 (circl-sighting)
- https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (circl)
- https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md (circl)
- https://github.com/rubysec/ruby-advisory-db/pull/495 (circl)
- [debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update (circl)
- [debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update (circl)
Timeline
- Jan 21, 2022 CVE Published
- Jan 22, 2022 PoC Published
- Feb 8, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 16, 2022 EPSS Score
- Sep 7, 2022 EPSS Score
- Oct 29, 2022 EPSS Score
- Dec 21, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 13, 2023 CVE Updated
- Apr 5, 2023 EPSS Score
- May 27, 2023 EPSS Score
References
- https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 url
- https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md url
- https://github.com/rubysec/ruby-advisory-db/pull/495 url
- [debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update mailing-list
- [debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2022-23837 advisory
- https://github.com/mperham/sidekiq package