[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 23:45:38 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com,
Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem
Sidekiq is "Simple, efficient background processing for Ruby" (a gem)
* http://sidekiq.org
* https://github.com/mperham/sidekiq/
* https://rubygems.org/gems/sidekiq
Was going through Sidekiq's changelog and its commits, and I came across
several security issues that lack CVEs.
XSS via queue name in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/issues/2330
* Fixed by
https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828
* Fix released in sidekiq 3.4.0
XSS via job arguments display class in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/pull/2309
* Fixed by
https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61
* Fix released in sidekiq 3.4.0
Sidekiq::Web lacks CSRF protection
* Reported via https://github.com/mperham/sidekiq/pull/2422
* Fixed by
https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad
* Fix released in sidekiq 3.4.2
* Follow-up fix in
https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694
to enable sessions in Sinatra, plus mention of a possible monkey patch
needed to make Rails work correctly (neither change is in a release yet).
Can CVEs be assigned for these issues?
Thanks,
~reed
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
