logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-28846 unpoly-rails

Package

Manager: gem
Name: unpoly-rails
Vulnerable Version: >=0 <2.7.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00266 pctl0.4985

Details

unpoly-rails Denial of Service vulnerability There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the [Unpoly server protocol](https://unpoly.com/up.protocol) for Rails applications. ### Impact This issues affects Rails applications that operate as an upstream of a load balancer's that uses [passive health checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks). The [unpoly-rails](https://github.com/unpoly/unpoly-rails/) gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. ### Patches The fixed release 2.7.2.2+ is available via RubyGems and GitHub. ### Workarounds If you cannot upgrade to a fixed release, several workarounds are available: - Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness. - Configure your load balancer so the [maximum size of response headers](https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning) is at least twice the [maximum size of a URL](https://tryhexadecimal.com/guides/http/414-request-uri-too-long). - Instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails: ```ruby class ApplicationController < ActionController::Base after_action :remove_redundant_up_location_header private def remove_redundant_up_location_header if request.original_url == response.headers['X-Up-Location'] response.headers.delete('X-Up-Location') end end end ```

Metadata

Created: 2023-03-30T22:58:38Z
Modified: 2023-04-07T22:54:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-m875-3xf6-mf78/GHSA-m875-3xf6-mf78.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-m875-3xf6-mf78
Finding: F002
Auto approve: 1