Added CVE-2024-32887 for sidekiq.

postmodern · postmodern · commit 76a499f23e0b · 2024-04-27T10:44:22.000-07:00
diff --git a/gems/sidekiq/CVE-2024-32887.yml b/gems/sidekiq/CVE-2024-32887.yml
@@ -0,0 +1,22 @@
+---
+gem: sidekiq
+cve: 2024-32887
+ghsa: GHSA-q655-3pj8-9fxq
+url: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
+title: Reflected XSS in Metrics Web Page
+date: 2024-04-26
+description: |
+  Reflected XSS in Sidekiq Web UI via the `/metrics` HTTP end-point and the
+  `substr` query param:
+
+      https://{host}/sidekiq/metrics?substr=foot%22%3E%3Cscript%20src=%22{payload}
+
+cvss_v3: 5.5
+unaffected_versions:
+  - "< 7.2.0"
+patched_versions:
+  - ">= 7.2.4"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32887
+    - https://github.com/sidekiq/sidekiq/commit/30786e082c70349ab27ffa9eccc42fb0c696164d
