oss-sec mailing list archives
CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem
From: Reed Loden <reed () reedloden com>
Date: Fri, 31 Jul 2015 23:45:38 -0700
Sidekiq is "Simple, efficient background processing for Ruby" (a gem) * http://sidekiq.org * https://github.com/mperham/sidekiq/ * https://rubygems.org/gems/sidekiq Was going through Sidekiq's changelog and its commits, and I came across several security issues that lack CVEs. XSS via queue name in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/issues/2330 * Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 * Fix released in sidekiq 3.4.0 XSS via job arguments display class in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/pull/2309 * Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 * Fix released in sidekiq 3.4.0 Sidekiq::Web lacks CSRF protection * Reported via https://github.com/mperham/sidekiq/pull/2422 * Fixed by https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad * Fix released in sidekiq 3.4.2 * Follow-up fix in https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 to enable sessions in Sinatra, plus mention of a possible monkey patch needed to make Rails work correctly (neither change is in a release yet). Can CVEs be assigned for these issues? Thanks, ~reed
Current thread:
- CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem Reed Loden (Jul 31)