CVE-2022-23837
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 21 Jan 2022, 00:00
Last modified:03 Aug 2024, 03:51
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.75% LOW
1% probability +0.15%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
21 Jan 2022, 00:00
Published
Vulnerability first disclosed
03 Aug 2024, 03:51
Last Modified
Vulnerability information updated
Description
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.75%• Percentile: 73%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Affected Systems
- contribsys•sidekiq
< 5.2.10 | ≥ 6.0.0, < 6.4.0
- debian•debian_linux
9.0
References (5)
- https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
- https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md
- https://github.com/rubysec/ruby-advisory-db/pull/495
- https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html