Miggo Logo

CVE-2022-23837: Denial of service in sidekiq

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.57057%
Published
1/27/2022
Updated
1/24/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
sidekiqrubygems>= 6.0.0, < 6.4.06.4.0
sidekiqrubygems< 5.2.105.2.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The History class constructor accepted unbounded 'days' values, as shown by the added validation in the commit (days_previous > 5*365 check). 2) The web interface directly passed user-controlled 'days' parameter to this constructor without sanitization, as evidenced by the added 'days > 180' check in the route handler. Together these allowed arbitrary resource consumption via crafted 'days' parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In `*pi.r*` in Si**kiq ***or* *.*.* *n* *.*.**, t**r* is no limit on t** num**r o* **ys w**n r*qu*stin* st*ts *or t** *r*p*. T*is ov*rlo**s t** syst*m, *****tin* t** W** UI, *n* m*k*s it un*v*il**l* to us*rs.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** `*istory` *l*ss *onstru*tor ****pt** un*oun*** '**ys' v*lu*s, *s s*own *y t** ***** `v*li**tion` in t** *ommit (**ys_pr*vious > ***** ****k). *) T** w** int*r**** *ir**tly p*ss** us*r-*ontroll** '**