{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26141", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.926Z", "datePublished": "2023-09-14T05:00:00.986Z", "dateUpdated": "2024-09-25T18:16:01.457Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}}], "credits": [{"value": "Keegan Parr", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (DoS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-14T05:00:00.986Z"}, "descriptions": [{"value": "Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"}, {"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"}, {"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"}, {"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"}], "affected": [{"product": "sidekiq", "versions": [{"version": "0", "lessThan": "7.1.3", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.828Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a", "tags": ["x_transferred"]}, {"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6", "tags": ["x_transferred"]}, {"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "affected": [{"vendor": "contribsys", "product": "sidekiq", "cpes": ["cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "6.5.10", "versionType": "custom"}, {"version": "7.0", "status": "affected", "lessThan": "7.1.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T18:12:16.582418Z", "id": "CVE-2023-26141", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:16:01.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a", "tags": ["x_transferred"]}, {"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6", "tags": ["x_transferred"]}, {"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T18:12:16.582418Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*"], "vendor": "contribsys", "product": "sidekiq", "versions": [{"status": "affected", "version": "0", "lessThan": "6.5.10", "versionType": "custom"}, {"status": "affected", "version": "7.0", "lessThan": "7.1.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:15:55.770Z"}}], "cna": {"credits": [{"lang": "en", "value": "Keegan Parr"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "sidekiq", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.3", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"}, {"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"}, {"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"}, {"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"}], "descriptions": [{"lang": "en", "value": "Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "Denial of Service (DoS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-14T05:00:00.986Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26141", "state": "PUBLISHED", "dateUpdated": "2024-09-25T18:16:01.457Z", "dateReserved": "2023-02-20T10:28:48.926Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2023-09-14T05:00:00.986Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*", "matchCriteriaId": "825EBC88-1B2F-4264-816E-F1F455207FCF", "versionEndExcluding": "6.5.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C9916BC-BC63-42B1-BBA9-3FAC86B9465E", "versionEndExcluding": "7.1.3", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests."}, {"lang": "es", "value": "Las versiones del paquete sidekiq anteriores a la 7.1.3 son vulnerables a la Denegaci\u00f3n de Servicio (DoS) debido a comprobaciones insuficientes en el archivo dashboard-charts.js. Un atacante puede aprovechar esta vulnerabilidad manipulando el valor de localStorage, lo que provocar\u00e1 peticiones excesivas."}], "id": "CVE-2023-26141", "lastModified": "2024-11-21T07:50:51.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-14T05:15:11.363", "references": [{"source": "report@snyk.io", "tags": ["Exploit"], "url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"}, {"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-sidekiq-0:6.5.12-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}], "bugzilla": {"description": "sidekiq: DoS in dashboard-charts", "id": "2239010", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239010"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.", "A denial of service vulnerability was found in Sidekiq. This flaw allows an attacker to manipulate the localStorage value in the dashboard-charts.js file and cause excessive polling requests."], "name": "CVE-2023-26141", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2023-09-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-26141\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-26141\nhttps://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"], "threat_severity": "Moderate", "upstream_fix": "sidekiq 7.1.3"}