CVE-2024-25122

{"id": "CVE-2024-25122", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.8}]}, "published": "2024-02-13T19:15:11.357", "references": [{"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' \"admin\" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in. 1. `/changelogs`, 2. `/locks` or 3. `/expiring_locks`. This issue has been addressed in versions 7.1.33 and 8.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "sidekiq-unique-jobs es un proyecto de c\u00f3digo abierto que evita que se ejecuten trabajos Sidekiq simult\u00e1neos con los mismos argumentos \u00fanicos. Los par\u00e1metros de solicitud GET especialmente manipulados manejados por cualquiera de los siguientes endpoints de la interfaz de usuario web \"admin\" de sidekiq-unique-jobs, permiten que un atacante superusuario o una v\u00edctima involuntaria, pero autorizada, que haya recibido un enlace disfrazado/manipulado, para ejecutar con \u00e9xito c\u00f3digo malicioso, que podr\u00eda robar cookies, datos de sesi\u00f3n o datos de almacenamiento local de la aplicaci\u00f3n en la que est\u00e1 montada la interfaz de usuario web de sidekiq-unique-jobs. 1. `/changelogs`, 2. `/locks` o 3. `/cerraduras_expirantes`. Este problema se solucion\u00f3 en las versiones 7.1.33 y 8.0.7. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-10-11T19:15:51.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mhenrixon:sidekiq-unique-jobs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C67DE7A3-6B7C-4508-8D33-2A0DD8AF4533", "versionEndExcluding": "7.1.33"}, {"criteria": "cpe:2.3:a:mhenrixon:sidekiq-unique-jobs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37AA85C7-F423-4C52-A639-7E3FF13F47AD", "versionEndExcluding": "8.0.7", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}