CVE-2022-23837
Denial of Service (DoS) vulnerability in sidekiq (RubyGems)
What is CVE-2022-23837 About?
Sidekiq versions prior to 6.4.0 and 5.2.10 are vulnerable to a denial of service (DoS) in `api.rb` due to a lack of limiting the number of days when requesting stats for the graph. This allows an attacker to overload the system by requesting an excessively large date range, making the Web UI unavailable. While not leading to RCE, it poses a significant availability risk.
Affected Software
- sidekiq
- >=6.0.0, <6.4.0
- <5.2.10
Technical Details
The DoS vulnerability in 'api.rb' within Sidekiq versions < 6.4.0 and < 5.2.10 arises from the absence of limitations on the date range when fetching statistics for the Web UI's graph functionality. An attacker can craft a request to the Sidekiq Web UI's API endpoint responsible for graph data, specifying a disproportionately large number of days or an extremely broad time range. This forces the Sidekiq server to process an enormous amount of historical data, leading to excessive database queries, high CPU utilization, and significant memory consumption. The system becomes overloaded, causing the Web UI to become unresponsive or unavailable to legitimate users. The attack vector is directly against the Sidekiq Web UI, exploiting its failure to paginate or limit the data retrieval for graph generation.
What is the Impact of CVE-2022-23837?
Successful exploitation may allow attackers to cause a denial of service, rendering the Sidekiq Web UI unresponsive or inaccessible.
What is the Exploitability of CVE-2022-23837?
Exploitation of this denial of service vulnerability is of low complexity. Prerequisites include access to the Sidekiq Web UI. While no specific authentication is mentioned to trigger the overload, typically access to the Sidekiq UI implies some level of authentication or network access controls. However, if the UI is publicly exposed or accessible with default credentials, the risk is higher. This is a remote vulnerability, as requests are made to the Web UI endpoint. There are no special conditions beyond requesting an arbitrarily large data range. Risk factors are increased if the Sidekiq Web UI is exposed to untrusted networks or if authentication mechanisms are weak or bypassed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23837?
Available Upgrade Options
- sidekiq
- <5.2.10 → Upgrade to 5.2.10
- sidekiq
- >=6.0.0, <6.4.0 → Upgrade to 6.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-jrfj-98qg-qjgv
- https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23837
- https://github.com/mperham/sidekiq
- https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
- https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
- https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
- https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
- https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md
- https://github.com/rubysec/ruby-advisory-db/pull/495
What are Similar Vulnerabilities to CVE-2022-23837?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2021-39187 , CVE-2019-15587 , CVE-2018-1000877 , CVE-2017-1000078
