CVE-2023-1892
published 2023-04-21CVE-2023-1892: Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
PriorityP350critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
2.74%
84.3th percentile
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contribsys | sidekiq | >= 7.0.4 < 7.0.8 | 7.0.8 |
| contribsys | sidekiq | >= 7.0.4 < 7.0.8 | 7.0.8 |
| debian | ruby-sidekiq | — | — |
| mhenrixon | sidekiq-unique-jobs | >= 6.0.0.rc7 < 7.1.33 | 7.1.33 |
| mhenrixon | sidekiq-unique-jobs | >= 8.0.0 < 8.0.7 | 8.0.7 |
| sidekiq | sidekiq_sidekiq | >= 7.0.4 < unspecified | unspecified |
| sidekiq | sidekiq_sidekiq | >= unspecified < 7.0.8 | 7.0.8 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/metrics?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
url{{BaseURL}}/metrics/SanityChecksJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
url{{BaseURL}}/metrics/ActiveStorage::PurgeJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
otherXSS payload: "><img/src/onerror=alert(document.domain)>
- →Monitor HTTP GET requests to Sidekiq /metrics and /metrics/<JobName> endpoints for URL-encoded XSS payloads in the 'period' query parameter (e.g., %22%3E%3Cimg, onerror=). ↗
- →Detection template matches on response body containing the reflected XSS string and Content-Type header of 'text/html' with HTTP 200 status.
- →The vulnerability affects sidekiq/sidekiq versions prior to 7.0.8; flag any Sidekiq web UI instances running versions below 7.0.8 exposed to untrusted input. ↗
- ·Red Hat Satellite 6 packages rubygem-gitlab-sidekiq-fetcher and rubygem-sidekiq are listed as Not Affected; detections targeting those environments may produce false positives. ↗
- ·Debian distributions (bookworm, bullseye, forky, sid, trixie) have all resolved this CVE; detections against patched Debian hosts will not trigger. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
osv9.6CRITICAL
vendor_debian9.6LOW
vendor_redhat9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XSS sidekiq-unique-jobs UI server vulnerability
ghsa·2024-02-13
CVE-2024-25122 [HIGH] CWE-400 XSS sidekiq-unique-jobs UI server vulnerability
XSS sidekiq-unique-jobs UI server vulnerability
### Summary
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by `sidekiq-unique-jobs` v8.0.7.
Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a **_P3_** on the BugCrowd [taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) with the following categorization:
Cross-Site Scripting (XSS) > Reflected > Non-Self
It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:
> String escaping and NoSQL injection
> The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed
OSV
XSS sidekiq-unique-jobs UI server vulnerability
osv·2024-02-13
CVE-2024-25122 [HIGH] XSS sidekiq-unique-jobs UI server vulnerability
XSS sidekiq-unique-jobs UI server vulnerability
### Summary
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by `sidekiq-unique-jobs` v8.0.7.
Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a **_P3_** on the BugCrowd [taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) with the following categorization:
Cross-Site Scripting (XSS) > Reflected > Non-Self
It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:
> String escaping and NoSQL injection
> The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed
GHSA
sidekiq vulnerable to cross-site scripting
ghsa·2023-04-21
CVE-2023-1892 [HIGH] CWE-79 sidekiq vulnerable to cross-site scripting
sidekiq vulnerable to cross-site scripting
sidekiq from 7.0.4 to 7.0.7 is vulnerable to reflected cross-site scripting. A fix was released in version 7.0.8.
OSV
sidekiq vulnerable to cross-site scripting
osv·2023-04-21
CVE-2023-1892 [HIGH] sidekiq vulnerable to cross-site scripting
sidekiq vulnerable to cross-site scripting
sidekiq from 7.0.4 to 7.0.7 is vulnerable to reflected cross-site scripting. A fix was released in version 7.0.8.
OSV
CVE-2023-1892: Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7
osv·2023-04-21·CVSS 9.6
CVE-2023-1892 [CRITICAL] CVE-2023-1892: Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
Red Hat
sidekiq: Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period" in sidekiq/sidekiq
vendor_redhat·2023-04-21·CVSS 9.6
CVE-2023-1892 [CRITICAL] CWE-79 sidekiq: Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period" in sidekiq/sidekiq
sidekiq: Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period" in sidekiq/sidekiq
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
A reflected Cross-site Scripting (XSS) vulnerability was found in sidekiq. This issue may allow code to be executed via multiples endpoints in the GET parameter "period".
Package: rubygem-gitlab-sidekiq-fetcher (Red Hat Satellite 6) - Not affected
Package: rubygem-sidekiq (Red Hat Satellite 6) - Not affected
Debian
CVE-2023-1892: ruby-sidekiq - Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prio...
vendor_debian·2023·CVSS 9.6
CVE-2023-1892 [CRITICAL] CVE-2023-1892: ruby-sidekiq - Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prio...
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Nuclei
Sidekiq < 7.0.8 - Cross-Site Scripting
nuclei·CVSS 9.6
CVE-2023-1892 [CRITICAL] Sidekiq < 7.0.8 - Cross-Site Scripting
Sidekiq "
condition: and
- method: GET
path:
- "{{BaseURL}}/metrics?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E"
- "{{BaseURL}}/metrics/SanityChecksJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E"
- "{{BaseURL}}/metrics/ActiveStorage::PurgeJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- ""
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# digest: 4a0a00473045022100860fd15250b88fbbcd3a9f039ab1fba377b022cbec80659633ed346c696f51d9022040bf6dd1f0d9e55d086a29ae8ce557bc85fdfb8712649164431cdf70adcff08c:922c64590222798bb761d5b6d8e72950
2023-04-21
Published