Skip to content

XSS sidekiq-unique-jobs UI server vulnerability

High
mhenrixon published GHSA-cmh9-rx85-xj38 Feb 13, 2024

Package

bundler sidekiq-unique-jobs (RubyGems)

Affected versions

< 8.0.7, < 7.1.33

Patched versions

>= 8.0.7, >= 7.1.33

Description

Summary

Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.

Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a P3 on the BugCrowd taxonomy with the following categorization:
Cross-Site Scripting (XSS) > Reflected > Non-Self

It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:

String escaping and NoSQL injection
The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.

Ref: https://redis.io/docs/management/security/

XSS Vulnerability

Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.

  1. /changelogs
  2. /locks
  3. /expiring_locks

This means if your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths are:

  1. /sidekiq/changelogs
  2. /sidekiq/locks
  3. /sidekiq/expiring_locks

XSS vulnerability is an instance of CAPEC-32: XSS Through HTTP Query Strings, which is related to CWE-80. In certain cases where it results in a server error with status 500, it could be considered a vector for uncontrolled resource consumption, given that errors can be much more resource intensive that normal requests, and thus CWE-400 & CWE-754 may also be relevant.

Details

Fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.

This is an analogous attack vector to that which affected sidekiq gem from version v7.0.4 to v7.0.7, and was given identifiers GHSA-h3r8-h5qw-4r35 & CVE-2023-1892.

The vulnerability in sidekiq-unique-jobs' was not fixed by sidekiq v7.0.8, nor the more recent sidekiq v7.2.0 releases; they are similar but unrelated, distinct vulnerabilities in adjacent projects.

Note #1: The admin web UI for sidekiq-unique-jobs is not protected by any authorization constraint in the default configuration. Auth constraints must be configured by the programmer. It is recommended and expected that users will configure authorization constrains on the "admin" UI. This is not specifically related to the vulnerability but may make users who fail to constrain their "admin" UI even more vulnerable.

Note #2: Most users of the library will not have configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets vulnerable to exposure. The purpose of a sandboxed subdomain is expressly to prevent leaking sensitive data through XSS attacks.

XSS Fix PR: #829

PoC

XSS

Use a string like:

%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

as the value for one of the parameters that are handled without escaping.
Reference: https://liveoverflow.com/do-not-use-alert-1-in-xss/

  1. Visit /sidekiq/changelogs - with a crafted query string like one of the following:
    a. Screenshot: XSS changelogs sidekiq-unique-jobs lte v8 0 6
    b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 1c changelogs count
  2. Visit /sidekiq/locks - with a crafted query string like one of the following:
    a. Screenshot: XSS locks sidekiq-unique-jobs lte v8 0 6
    b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 2c locks count
  3. Visit /sidekiq/expiring_locks - with a crafted query string like one of the following:
    a. Screenshot: XSS expiring_locks sidekiq-unique-jobs lte v8 0 6
    b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

Impact

This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE ID

CVE-2024-25122

Credits