Headline
CVE-2022-23837: Validate `days` parameter to avoid possible DoS in Web UI · mperham/sidekiq@7785ac1
In api.rb in Sidekiq before 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
@@ -50,7 +50,10 @@ def self.set(key, val)
get “/” do
@redis_info = redis_info.select { |k, v| REDIS_KEYS.include? k }
stats_history = Sidekiq::Stats::History.new((params[“days”] || 30).to_i)
days = (params[“days”] || 30).to_i
return halt(401) if days < 1 || days > 180
stats_history = Sidekiq::Stats::History.new(days)
@processed_history = stats_history.processed
@failed_history = stats_history.failed