ruby-sidekiq: CVE-2023-26141

Related Vulnerabilities: CVE-2023-26141  

Debian Bug report logs - #1059300
ruby-sidekiq: CVE-2023-26141

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 22 Dec 2023 13:09:06 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1059300; Package src:ruby-sidekiq. (Fri, 22 Dec 2023 13:09:08 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 22 Dec 2023 13:09:08 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: ruby-sidekiq: CVE-2023-26141
Date: Fri, 22 Dec 2023 14:06:04 +0100
Source: ruby-sidekiq
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for ruby-sidekiq.

CVE-2023-26141[0]:
| Versions of the package sidekiq before 7.1.3 are vulnerable to
| Denial of Service (DoS) due to insufficient checks in the dashboard-
| charts.js file. An attacker can exploit this vulnerability by
| manipulating the localStorage value which will cause excessive
| polling requests.

https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107
https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89 (v7.1.3)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26141
    https://www.cve.org/CVERecord?id=CVE-2023-26141

Please adjust the affected versions in the BTS as needed.



Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 22 Dec 2023 20:09:35 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Dec 23 08:19:32 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.