Date: Fri, 31 Jul 2015 23:45:38 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem Sidekiq is "Simple, efficient background processing for Ruby" (a gem) * http://sidekiq.org * https://github.com/mperham/sidekiq/ * https://rubygems.org/gems/sidekiq Was going through Sidekiq's changelog and its commits, and I came across several security issues that lack CVEs. XSS via queue name in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/issues/2330 * Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 * Fix released in sidekiq 3.4.0 XSS via job arguments display class in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/pull/2309 * Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 * Fix released in sidekiq 3.4.0 Sidekiq::Web lacks CSRF protection * Reported via https://github.com/mperham/sidekiq/pull/2422 * Fixed by https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad * Fix released in sidekiq 3.4.2 * Follow-up fix in https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 to enable sessions in Sinatra, plus mention of a possible monkey patch needed to make Rails work correctly (neither change is in a release yet). Can CVEs be assigned for these issues? Thanks, ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ