CVE-2023-26141
Denial of Service (DoS) vulnerability in sidekiq (RubyGems)
What is CVE-2023-26141 About?
This vulnerability in Sidekiq versions prior to 7.1.3 and 6.5.10 allows for a Denial of Service (DoS) due to insufficient checks in the `dashboard-charts.js` file. An attacker can manipulate localStorage values to trigger excessive polling requests, disrupting service availability. Exploitation is relatively easy if an attacker can manipulate browser-side storage.
Affected Software
- sidekiq
- <6.5.10
- >=7.0.0, <7.1.3
Technical Details
The Denial of Service (DoS) vulnerability in Sidekiq is caused by insufficient checks within the dashboard-charts.js file. An attacker can manipulate the localStorage entries used by the Sidekiq dashboard. By injecting specific, malformed, or oversized values into localStorage, the client-side script is coerced into initiating an excessive number of polling requests to the server. This flood of requests, when multiplied across multiple attacking clients or through automated scripts, can overwhelm the Sidekiq application's backend, leading to resource exhaustion and a denial of service for legitimate users.
What is the Impact of CVE-2023-26141?
Successful exploitation may allow attackers to cause a denial of service, making the Sidekiq dashboard and potentially related services unavailable to legitimate users.
What is the Exploitability of CVE-2023-26141?
Exploitation of this vulnerability is of low to moderate complexity. It typically requires an attacker to have access to the client-side environment (e.g., a web browser) where the Sidekiq dashboard is accessed, enabling them to manipulate localStorage. No specific authentication to the Sidekiq application is initially required to alter client-side localStorage, though authenticated access to the dashboard might be needed to trigger the effect on the server. This is primarily a remote exploitation scenario targeting a web application. Special conditions involve the ability for the attacker to manipulate the browser's localStorage for the target domain. Risk factors that increase exploitation likelihood include exposing the Sidekiq dashboard to untrusted networks or users, and applications running vulnerable versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26141?
Available Upgrade Options
- sidekiq
- <6.5.10 → Upgrade to 6.5.10
- sidekiq
- >=7.0.0, <7.1.3 → Upgrade to 7.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89
- https://github.com/sidekiq/sidekiq/blob/6-x/Changes.md#6510
- https://github.com/sidekiq/sidekiq
- https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a
- https://osv.dev/vulnerability/GHSA-3qc2-v3hp-6cv8
- https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107
- https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a
- https://nvd.nist.gov/vuln/detail/CVE-2023-26141
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq/CVE-2023-26141.yml
- https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107
What are Similar Vulnerabilities to CVE-2023-26141?
Similar Vulnerabilities: CVE-2023-28198 , CVE-2021-41183 , CVE-2020-15147 , CVE-2019-10650 , CVE-2019-10651
