Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 31 Jul 2015 23:45:38 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem

Sidekiq is "Simple, efficient background processing for Ruby" (a gem)
* http://sidekiq.org
* https://github.com/mperham/sidekiq/
* https://rubygems.org/gems/sidekiq

Was going through Sidekiq's changelog and its commits, and I came across
several security issues that lack CVEs.

XSS via queue name in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/issues/2330
* Fixed by
https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828
* Fix released in sidekiq 3.4.0

XSS via job arguments display class in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/pull/2309
* Fixed by
https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61
* Fix released in sidekiq 3.4.0

Sidekiq::Web lacks CSRF protection
* Reported via https://github.com/mperham/sidekiq/pull/2422
* Fixed by
https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad
* Fix released in sidekiq 3.4.2
* Follow-up fix in
https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694
to enable sessions in Sinatra, plus mention of a possible monkey patch
needed to make Rails work correctly (neither change is in a release yet).

Can CVEs be assigned for these issues?

Thanks,
~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.