sidekiq 拒绝服务漏洞 (CVE-2023-26141)

admin

0
文章

0
评论

2023-11-30 03:31:52 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 sidekiq 拒绝服务漏洞 (CVE-2023-26141)

CVE编号

CVE-2023-26141

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-02-20

漏洞描述

Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a
https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6
https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89
https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	contribsys	sidekiq	*		Up to (excluding) 7.1.3
	运行在以下环境
	系统	debian_10	ruby-sidekiq	*		Up to (including) 5.2.3+dfsg-1
	运行在以下环境
	系统	debian_11	ruby-sidekiq	*		Up to (including) 6.0.4+dfsg-2
	运行在以下环境
	系统	debian_12	ruby-sidekiq	*		Up to (including) 6.4.1+dfsg-1
	运行在以下环境
	系统	debian_sid	ruby-sidekiq	*		Up to (including) 6.5.7+dfsg3-3