CVE-2022-23837
published 2022-01-21CVE-2022-23837: In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
5.26%
91.5th percentile
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contribsys | sidekiq | < 5.2.10 | 5.2.10 |
| contribsys | sidekiq | >= 0 < 5.2.10 | 5.2.10 |
| contribsys | sidekiq | >= 6.0.0 < 6.4.0 | 6.4.0 |
| contribsys | sidekiq | >= 6.0.0 < 6.4.0 | 6.4.0 |
| debian | debian_linux | — | — |
| debian | ruby-sidekiq | < ruby-sidekiq 6.4.1+dfsg-1 (bookworm) | ruby-sidekiq 6.4.1+dfsg-1 (bookworm) |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-sidekiq vulnerabilities
osv·2025-08-14·CVSS 6.1
CVE-2021-30151 [MEDIUM] ruby-sidekiq vulnerabilities
ruby-sidekiq vulnerabilities
Anas Roubi discovered that Sidekiq did not correctly sanitize certain
inputs. An attacker could possibly use this issue to execute a cross-site
scripting (XSS) attack. This issue only affected Ubuntu 18.04 LTS, and
Ubuntu 20.04 LTS. (CVE-2021-30151)
It was discovered that Sidekiq did not correctly bound certain inputs. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-23837)
GHSA
Denial of service in sidekiq
ghsa·2022-01-27
CVE-2022-23837 [HIGH] CWE-400 Denial of service in sidekiq
Denial of service in sidekiq
In `api.rb` in Sidekiq before 6.4.0 and 5.2.10, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
OSV
Denial of service in sidekiq
osv·2022-01-27
CVE-2022-23837 [HIGH] Denial of service in sidekiq
Denial of service in sidekiq
In `api.rb` in Sidekiq before 6.4.0 and 5.2.10, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
OSV
CVE-2022-23837: In api
osv·2022-01-21·CVSS 7.5
CVE-2022-23837 [HIGH] CVE-2022-23837: In api
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
Ubuntu
Sidekiq vulnerabilities
vendor_ubuntu·2025-08-14·CVSS 6.1
CVE-2021-30151 [MEDIUM] Sidekiq vulnerabilities
Title: Sidekiq vulnerabilities
Summary: Several security issues were fixed in Sidekiq.
Anas Roubi discovered that Sidekiq did not correctly sanitize certain
inputs. An attacker could possibly use this issue to execute a cross-site
scripting (XSS) attack. This issue only affected Ubuntu 18.04 LTS, and
Ubuntu 20.04 LTS. (CVE-2021-30151)
It was discovered that Sidekiq did not correctly bound certain inputs. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-23837)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
sidekiq: WebUI Denial of Service caused by number of days on graph
vendor_redhat·2022-01-22·CVSS 7.5
CVE-2022-23837 [HIGH] CWE-770 sidekiq: WebUI Denial of Service caused by number of days on graph
sidekiq: WebUI Denial of Service caused by number of days on graph
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
A denial of service vulnerability was found in job scheduler sidekiq. An attacker can request statistics for the graph and, since there were no limits on the days parameter, overload the system, affecting the WebUI.
Package: rubygem-sidekiq (Red Hat 3scale API Management Platform 2) - Will not fix
Debian
CVE-2022-23837: ruby-sidekiq - In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of...
vendor_debian·2022·CVSS 7.5
CVE-2022-23837 [HIGH] CVE-2022-23837: ruby-sidekiq - In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of...
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
Scope: local
bookworm: resolved (fixed in 6.4.1+dfsg-1)
bullseye: resolved (fixed in 6.0.4+dfsg-2+deb11u1)
forky: resolved (fixed in 6.4.1+dfsg-1)
sid: resolved (fixed in 6.4.1+dfsg-1)
trixie: resolved (fixed in 6.4.1+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.mdhttps://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956https://github.com/rubysec/ruby-advisory-db/pull/495https://lists.debian.org/debian-lts-announce/2022/03/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2023/03/msg00011.htmlhttps://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.mdhttps://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956https://github.com/rubysec/ruby-advisory-db/pull/495https://lists.debian.org/debian-lts-announce/2022/03/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2023/03/msg00011.html
2022-01-21
Published