Package: ruby-sidekiq Version: 7.2.1+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
The following vulnerability was published for ruby-sidekiq. It only affects the experimental version, as the issue was introduced in 7.2.0 an fixed upstream in 7.2.4. Should not land into unstable, so filling with RC severity. CVE-2024-32887[0]: | Sidekiq is simple, efficient background processing for Ruby. Sidekiq | is reflected XSS vulnerability. The value of substr parameter is | reflected in the response without any encoding, allowing an attacker | to inject Javascript code into the response of the application. An | attacker could exploit it to target users of the Sidekiq Web UI. | Moreover, if other applications are deployed on the same domain or | website as Sidekiq, users of those applications could also be | affected, leading to a broader scope of compromise. Potentially | compromising their accounts, forcing the users to perform sensitive | actions, stealing sensitive data, performing CORS attacks, | defacement of the web application, etc. This issue has been patched | in version 7.2.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32887 https://www.cve.org/CVERecord?id=CVE-2024-32887 [1] https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
