Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 23:45:38 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem

Sidekiq is "Simple, efficient background processing for Ruby" (a gem)
* http://sidekiq.org
* https://github.com/mperham/sidekiq/
* https://rubygems.org/gems/sidekiq

Was going through Sidekiq's changelog and its commits, and I came across
several security issues that lack CVEs.

XSS via queue name in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/issues/2330
* Fixed by
https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828
* Fix released in sidekiq 3.4.0

XSS via job arguments display class in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/pull/2309
* Fixed by
https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61
* Fix released in sidekiq 3.4.0

Sidekiq::Web lacks CSRF protection
* Reported via https://github.com/mperham/sidekiq/pull/2422
* Fixed by
https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad
* Fix released in sidekiq 3.4.2
* Follow-up fix in
https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694
to enable sessions in Sinatra, plus mention of a possible monkey patch
needed to make Rails work correctly (neither change is in a release yet).

Can CVEs be assigned for these issues?

Thanks,
~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ