{"api_version":"1","generated_at":"2026-04-23T02:25:14+00:00","cve":"CVE-2022-23837","urls":{"html":"https://cve.report/CVE-2022-23837","api":"https://cve.report/api/cve/CVE-2022-23837.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23837","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23837"},"summary":{"title":"CVE-2022-23837","description":"In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-01-21 21:15:00","updated_at":"2023-03-13 00:15:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956","name":"https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956","refsource":"MISC","tags":[],"title":"Validate `days` parameter to avoid possible DoS in Web UI · mperham/sidekiq@7785ac1 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html","name":"[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2943-1] ruby-sidekiq security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rubysec/ruby-advisory-db/pull/495","name":"https://github.com/rubysec/ruby-advisory-db/pull/495","refsource":"MISC","tags":[],"title":"Sidekiq version 5.2.10 also addresses CVE-2022-23837 by sqbell · Pull Request #495 · rubysec/ruby-advisory-db · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html","name":"[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3360-1] ruby-sidekiq security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md","name":"https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md","refsource":"MISC","tags":[],"title":"exploits/sidekiq.md at main · TUTUMSPACE/exploits · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23837","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23837","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23837","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"contribsys","cpe5":"sidekiq","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23837","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23837","qid":"179123","title":"Debian Security Update for ruby-sidekiq (DLA 2943-1)"},{"cve":"CVE-2022-23837","qid":"181627","title":"Debian Security Update for ruby-sidekiq (DLA 3360-1)"},{"cve":"CVE-2022-23837","qid":"182791","title":"Debian Security Update for ruby-sidekiq (CVE-2022-23837)"},{"cve":"CVE-2022-23837","qid":"240566","title":"Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)"},{"cve":"CVE-2022-23837","qid":"960505","title":"Rocky Linux Security Update for Satellite (RLSA-2022:5498)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-23837","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956","refsource":"MISC","name":"https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"},{"url":"https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md","refsource":"MISC","name":"https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"},{"refsource":"MISC","name":"https://github.com/rubysec/ruby-advisory-db/pull/495","url":"https://github.com/rubysec/ruby-advisory-db/pull/495"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"}]}},"nvd":{"publishedDate":"2022-01-21 21:15:00","lastModifiedDate":"2023-03-13 00:15:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23837","Ordinal":"226726","Title":"CVE-2022-23837","CVE":"CVE-2022-23837","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23837","Ordinal":"1","NoteData":"In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23837","Ordinal":"2","NoteData":"2022-01-21","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23837","Ordinal":"3","NoteData":"2022-02-07","Type":"Other","Title":"Modified"}]}}}