Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Knowledge & News

Reflected XSS in Sidekiq Unique Jobs UI

January 24, 2024 |
Tags: SAST SCA
Kategorie: CVE News

Security vulnerability closed in Sidekiq-Unique-Jobs

Managing background tasks is a crucial component of modern web applications for many companies. Sidekiq is one of the leading solutions in this area and is made even more powerful by the Sidekiq-Unique-Jobs add-on. However, a closer look is particularly worthwhile in popular open source solutions: In version 8.0.6 (and earlier) of Sidekiq-Unique-Jobs, we discovered a reflected cross-site scripting (XSS) vulnerability that could potentially compromise the security of your systems.

Attackers were able to inject malicious code through manipulated filter parameters in several admin areas, which was executed when certain views were called. Our report to the development team led to the elimination of the vulnerabilities from version 8.0.7.

In this article, you will learn how this security vulnerability arose, what an attack might look like, and how to quickly recognize the need for action. Proactively protect your IT landscape. We would be happy to advise you personally on security updates and best practices for your infrastructure!

A reflected cross-site scripting vulnerability was discovered in Sidekiq-Unique-Jobs version 8.0.6 (or earlier). We reported this vulnerability to the developer, who fixed the issue and closed the vulnerability in version 8.0.7.

Description

Sidekiq is used to manage and execute background tasks. Sidekiq Unique-Jobs adds restrictions to Sidekiq tasks.

The following three filter functions were found to be vulnerable to reflected cross-site scripting.

/sidekiq/locks?filter={payload}
/sidekiq/changelogs?filter={payload}
/sidekiq/expiring_locks?filter={payload}

Im folgenden Screenshot wurde die Nutzlast „><script>alert(document.domain)</script>“ in der ChangeLogs-Filterfunktion verwendet, um ein PoC-Popup zu öffnen, das die aktuelle Domain anzeigt.

The Locks functionality proved to be vulnerable in the following path:

/sidekiq/locks/{payload}

An example of a payload would be

„><img src=a onerror=alert(document.domain)>

This payload is inserted into the HTML code in two places and is therefore executed twice.

Assigned CVEs:
https://nvd.nist.gov/vuln/detail/CVE-2023-46950
https://nvd.nist.gov/vuln/detail/CVE-2023-46951

Affected component: Sidekiq-unique-jobs

Attack type: Remote

Impact Code Execution: Yes

Attack vectors: To exploit the vulnerability, the user must click on a malicious link prepared by the attacker.

Reference: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38

The Author

Mirko Richter

Mirko Richter is a Software Security Consultant, Source Code Analysis Specialist and Training Manager for basic training courses up to advanced coding and Secure SDLC training. He has been involved in software development, architecture and security since the mid-90s. He is a speaker at conferences and author of several technical articles.