CVE-2022-23837: 
Ruby vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2022-23837) was discovered in Sidekiq before versions 5.2.10 and 6.4.0. The vulnerability was found in the api.rb file where there was no limit on the number of days when requesting stats for the graph (MITRE CVE, NVD).

The vulnerability exists in the api.rb file of Sidekiq, where the application failed to implement limits on the number of days parameter when requesting statistics for the graph. This oversight could allow an attacker to request an excessive number of days, leading to system overload. The fix implemented validates the 'days' parameter to prevent values less than 1 or greater than 180 days for the web interface, and values between 1 and 5 years (1825 days) for the API (GitHub Commit).

When exploited, this vulnerability affects the Web UI by overloading the system, making it unavailable to users. The denial of service condition could be triggered by requesting statistics for an excessive number of days, effectively disrupting the service's availability (MITRE CVE).

The vulnerability has been fixed in Sidekiq versions 5.2.10 and 6.4.0. Users are advised to upgrade to these or later versions. The fix implements proper validation of the 'days' parameter to prevent DoS attacks. Debian has also released security updates addressing this vulnerability in multiple versions: 4.2.3+dfsg-1+deb9u1 for Debian 9 stretch and 5.2.3+dfsg-1+deb10u1 for Debian 10 buster (Debian LTS).