sidekiq-unique-jobs 7.1.7
sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis
high severity CVE-2024-25122~> 7.1.33, >= 8.0.7
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.
Details
Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
If your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths and query parameters are:
/sidekiq/changelogsfiltercount
/sidekiq/locksfiltercount
/sidekiq/expiring_locksfilter
Impact
This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.
Patches
The fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.