[GHSA-cmh9-rx85-xj38] sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis #3546
Conversation
|
Hi there @pboling and @mhenrixon! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
Earlopain/advisory-improvement-3546
|
I don't understand how it wasn't already fixed, since I had already edited the advisory to update these things. Too many sources of truth! |
|
Hi there @pboling and @mhenrixon! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Hi there @pboling and @mhenrixon! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Sorry for the double-ping, I wanted to add a lower bounds to the affected versions since there wasn't always a Web UI. It was only introduced in v6.0.0.rc7, see https://github.com/mhenrixon/sidekiq-unique-jobs/blob/main/CHANGELOG.md#v600rc7-2018-07-23 I expected another modification to create an additional PR but it seems to just have eaten my previous changes. |
advisory-database
bot
merged commit 3672343
into
Earlopain/advisory-improvement-3546
|
Hi @Earlopain! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
The CVE analysis of this vulnerability was assigned a score of 7.1. This is quite different to the 10 on initial report.
This updates the score of this advisory to what is displayed at https://nvd.nist.gov/vuln/detail/CVE-2024-25122
I have also removed the mention of RCE in the title. There was no RCE vulnerability. See mhenrixon/sidekiq-unique-jobs#833 (comment) and mhenrixon/sidekiq-unique-jobs#833 (comment)
Finally, I added a lower bound to vulnerable versions, it was only introduced in v6.0.0.rc7, see https://github.com/mhenrixon/sidekiq-unique-jobs/blob/main/CHANGELOG.md#v600rc7-2018-07-23
The advisory in the repository has already been updated: GHSA-cmh9-rx85-xj38