CVE-2022-23837: Denial of service in sidekiq
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57057%
CWE
Published
1/27/2022
Updated
1/24/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sidekiq | rubygems | >= 6.0.0, < 6.4.0 | 6.4.0 |
sidekiq | rubygems | < 5.2.10 | 5.2.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key points: 1) The History
class constructor accepted unbounded 'days' values, as shown by the added validation
in the commit (days_previous > 5*365 check). 2) The web interface directly passed user-controlled 'days' parameter to this constructor without sanitization, as evidenced by the added 'days > 180' check in the route handler. Together these allowed arbitrary resource consumption via crafted 'days' parameter.