CVE-2022-23837
HIGHSidekiq < 5.2.10 and >=6.0.0 <6.4.0 - Denial of Service via Unlimited Stats Request
Title source: llmDescription
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html
Exploit, Third Party Advisory
https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md
Patch, Third Party Advisory
https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
Patch, Third Party Advisory
https://github.com/rubysec/ruby-advisory-db/pull/495
Scores
CVSS v3
7.5
EPSS
0.0526
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (3)
contribsys/sidekiq
< 5.2.10
debian/debian_linux
9.0
rubygems/sidekiq
6.0.0 - 6.4.0RubyGems
Published
Jan 21, 2022
Tracked Since
Feb 18, 2026