Vulnerability Description
sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in. 1. `/changelogs`, 2. `/locks` or 3. `/expiring_locks`. This issue has been addressed in versions 7.1.33 and 8.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mhenrixon | Sidekiq-Unique-Jobs | < 7.1.33 |
Related Weaknesses (CWE)
References
- https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748Patch
- https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rExploitThird Party Advisory
- https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748Patch
- https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rExploitThird Party Advisory
FAQ
What is CVE-2024-25122?
CVE-2024-25122 is a vulnerability with a CVSS score of 7.1 (HIGH). sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following e...
How severe is CVE-2024-25122?
CVE-2024-25122 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25122?
Check the references section above for vendor advisories and patch information. Affected products include: Mhenrixon Sidekiq-Unique-Jobs.