gems/sidekiq-unique-jobs/CVE-2024-25122.yml

---
gem: sidekiq-unique-jobs
cve: 2024-25122
ghsa: cmh9-rx85-xj38
url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
title: sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis
date: 2024-02-13
description: |
  Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.

  ### Details

  Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI,
  allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link,
  to successfully execute malicious code, which could potentially steal cookies, session data,
  or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.

  If your sidekiq-unique-jobs web UI is mounted at `/sidekiq`, the vulnerable paths and query parameters are:

  * `/sidekiq/changelogs`
    * `filter`
    * `count`
  * `/sidekiq/locks`
    * `filter`
    * `count`
  * `/sidekiq/expiring_locks`
    * `filter`

  ### Impact

  This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.

  ### Patches

  The fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
cvss_v3: 7.1
patched_versions:
  - "~> 7.1.33"
  - ">= 8.0.7"
related:
  url:
    - https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc
    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed
    - https://nvd.nist.gov/vuln/detail/CVE-2024-25122
    - https://github.com/advisories/GHSA-cmh9-rx85-xj38