CVE-2023-26141: 
Ruby vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2023-26141) was discovered in Sidekiq versions before 7.1.3 and before 6.5.10. The vulnerability was discovered by Keegan Parr and disclosed on September 7, 2023. The vulnerability affects the dashboard-charts.js file in Sidekiq's web interface, impacting both the 6.x and 7.x branches of the software (Snyk, CVE).

The vulnerability exists due to insufficient validation of the localStorage.sidekiqTimeInterval value in the dashboard-charts.js file. The code parses this value using parseInt without proper validation, which is then used to set the polling interval. By default, the interval is set to 5000 milliseconds, but an attacker can manipulate this value to cause excessive polling requests. The vulnerability has a CVSS v3.1 base score of 4.9 (Medium), with high impact on availability but requiring high privileges to exploit (Snyk, GitHub Commit).

When exploited, this vulnerability can cause a Denial of Service (DoS) condition by generating excessive polling requests to the server. Setting the localStorage value to a very low number (such as "1") can result in up to 1000 polling requests per second, potentially making the site unusable and affecting server performance. The impact could be amplified if multiple users with dashboard access exploit this vulnerability simultaneously (GitHub Gist).

The vulnerability has been fixed in Sidekiq versions 6.5.10 and 7.1.3 by implementing a minimum delay of 2000 milliseconds for the polling interval. Users are advised to upgrade to these versions or later. For those unable to upgrade immediately, implementing access controls to restrict dashboard access and placing the dashboard behind a Rails constraint can help mitigate the risk (GitHub Commit).