CVE-2022-23837

NameCVE-2022-23837
DescriptionIn api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2943-1, DLA-3360-1
Debian Bugs1004193

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-sidekiq (PTS)jessie3.2.6~dfsg-1vulnerable
stretch (security), stretch (lts), stretch4.2.3+dfsg-1+deb9u1fixed
buster (security), buster, buster (lts)5.2.3+dfsg-1+deb10u1fixed
bullseye6.0.4+dfsg-2vulnerable
bookworm6.4.1+dfsg-1fixed
sid, trixie7.3.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-sidekiqsourcejessie(unfixed)end-of-life
ruby-sidekiqsourcestretch4.2.3+dfsg-1+deb9u1DLA-2943-1
ruby-sidekiqsourcebuster5.2.3+dfsg-1+deb10u1DLA-3360-1
ruby-sidekiqsource(unstable)6.4.1+dfsg-11004193

Notes

[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0)
Search for package or bug name: Reporting problems