GHSA-cmh9-rx85-xj38

Suggest an improvement
Source
https://github.com/advisories/GHSA-cmh9-rx85-xj38
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-cmh9-rx85-xj38/GHSA-cmh9-rx85-xj38.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cmh9-rx85-xj38
Aliases
Published
2024-02-13T18:34:16Z
Modified
2024-02-20T16:49:40.876946Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
Summary
XSS sidekiq-unique-jobs UI server vulnerability
Details

Summary

Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.

Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a P3 on the BugCrowd taxonomy with the following categorization: Cross-Site Scripting (XSS) > Reflected > Non-Self

It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:

String escaping and NoSQL injection The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.

Ref: https://redis.io/docs/management/security/

XSS Vulnerability

Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.

  1. /changelogs
  2. /locks
  3. /expiring_locks

This means if your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths are:

  1. /sidekiq/changelogs
  2. /sidekiq/locks
  3. /sidekiq/expiring_locks

XSS vulnerability is an instance of CAPEC-32: XSS Through HTTP Query Strings, which is related to CWE-80. In certain cases where it results in a server error with status 500, it could be considered a vector for uncontrolled resource consumption, given that errors can be much more resource intensive that normal requests, and thus CWE-400 & CWE-754 may also be relevant.

Details

Fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.

This is an analogous attack vector to that which affected sidekiq gem from version v7.0.4 to v7.0.7, and was given identifiers GHSA-h3r8-h5qw-4r35 & CVE-2023-1892.

The vulnerability in sidekiq-unique-jobs' was not fixed by sidekiq v7.0.8, nor the more recent sidekiq v7.2.0 releases; they are similar but unrelated, distinct vulnerabilities in adjacent projects.

Note #1: The admin web UI for sidekiq-unique-jobs is not protected by any authorization constraint in the default configuration. Auth constraints must be configured by the programmer. It is recommended and expected that users will configure authorization constrains on the "admin" UI. This is not specifically related to the vulnerability but may make users who fail to constrain their "admin" UI even more vulnerable.

Note #2: Most users of the library will not have configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets vulnerable to exposure. The purpose of a sandboxed subdomain is expressly to prevent leaking sensitive data through XSS attacks.

XSS Fix PR: https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829

PoC

XSS

Use a string like:

%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

as the value for one of the parameters that are handled without escaping. Reference: https://liveoverflow.com/do-not-use-alert-1-in-xss/

  1. Visit /sidekiq/changelogs - with a crafted query string like one of the following: a. Screenshot: XSS changelogs sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 1c changelogs count
  2. Visit /sidekiq/locks - with a crafted query string like one of the following: a. Screenshot: XSS locks sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 2c locks count
  3. Visit /sidekiq/expiring_locks - with a crafted query string like one of the following: a. Screenshot: XSS expiring_locks sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

Impact

This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.

Database specific
{
    "nvd_published_at": "2024-02-13T19:15:11Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-754",
        "CWE-79",
        "CWE-80"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-13T18:34:16Z"
}
References

Affected packages

RubyGems / sidekiq-unique-jobs

Package

Name
sidekiq-unique-jobs
Purl
pkg:gem/sidekiq-unique-jobs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.7

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6

RubyGems / sidekiq-unique-jobs

Package

Name
sidekiq-unique-jobs
Purl
pkg:gem/sidekiq-unique-jobs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0.rc7
Fixed
7.1.33

Affected versions

6.*

6.0.0.rc7
6.0.0.rc8
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.0.11
6.0.12
6.0.13
6.0.16
6.0.19
6.0.20
6.0.21
6.0.22
6.0.23
6.0.24
6.0.25

7.*

7.0.0.beta2
7.0.0.beta3
7.0.0.beta4
7.0.0.beta5
7.0.0.beta6
7.0.0.beta7
7.0.0.beta8
7.0.0.beta9
7.0.0.beta10
7.0.0.beta11
7.0.0.beta12
7.0.0.beta13
7.0.0.beta14
7.0.0.beta15
7.0.0.beta16
7.0.0.beta17
7.0.0.beta18
7.0.0.beta19
7.0.0.beta20
7.0.0.beta21
7.0.0.beta22
7.0.0.beta23
7.0.0.beta24
7.0.0.beta25
7.0.0.beta26
7.0.0.beta27
7.0.0.beta28
7.0.0.beta29
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8
7.0.9
7.0.10
7.0.11
7.0.12
7.0.13
7.1.0
7.1.1
7.1.2
7.1.3
7.1.5
7.1.6
7.1.7
7.1.8
7.1.10
7.1.11
7.1.12
7.1.13
7.1.14
7.1.15
7.1.16
7.1.17
7.1.18
7.1.19
7.1.20
7.1.21
7.1.22
7.1.23
7.1.24
7.1.25
7.1.26
7.1.27
7.1.28
7.1.29
7.1.30
7.1.31
7.1.32