Date: Fri, 31 Jul 2015 23:45:38 -0700 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem Sidekiq is "Simple, efficient background processing for Ruby" (a gem) * http://sidekiq.org * https://github.com/mperham/sidekiq/ * https://rubygems.org/gems/sidekiq Was going through Sidekiq's changelog and its commits, and I came across several security issues that lack CVEs. XSS via queue name in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/issues/2330 * Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 * Fix released in sidekiq 3.4.0 XSS via job arguments display class in Sidekiq::Web * Reported via https://github.com/mperham/sidekiq/pull/2309 * Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 * Fix released in sidekiq 3.4.0 Sidekiq::Web lacks CSRF protection * Reported via https://github.com/mperham/sidekiq/pull/2422 * Fixed by https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad * Fix released in sidekiq 3.4.2 * Follow-up fix in https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 to enable sessions in Sinatra, plus mention of a possible monkey patch needed to make Rails work correctly (neither change is in a release yet). Can CVEs be assigned for these issues? Thanks, ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.