-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2023-28846.yml
67 lines (55 loc) · 2.7 KB
/
CVE-2023-28846.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
gem: unpoly-rails
cve: 2023-28846
ghsa: m875-3xf6-mf78
url: https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78
title: unpoly-rails Denial of Service vulnerability
date: 2023-03-30
description: |
There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails
gem that implements the [Unpoly server protocol](https://unpoly.com/up.protocol)
for Rails applications.
### Impact
This issues affects Rails applications
that operate as an upstream of a load balancer's that uses [passive health
checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks).
The [unpoly-rails](https://github.com/unpoly/unpoly-rails/) gem echoes the request URL
as an `X-Up-Location` response header. By making a request with exceedingly long
URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly
large response header.
If the response header is too large to be parsed by a load balancer downstream
of the Rails application, it may cause the load balancer to remove the upstream
from a load balancing group. This causes that application instance to become
unavailable until a configured timeout is reached or until an active healthcheck
succeeds.
### Workarounds
If you cannot upgrade to a fixed release, several workarounds are available:
- Configure your load balancer to
use active health checks, e.g. by periodically requesting a route with a known response
that indicates healthiness.
- Configure your load balancer so the [maximum size
of response headers](https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning)
is at least twice the [maximum size of a URL](https://tryhexadecimal.com/guides/http/414-request-uri-too-long).
- Instead of changing your server configuration you may also configure your Rails
application to delete redundant `X-Up-Location` headers set by unpoly-rails:
```ruby
class ApplicationController < ActionController::Base
after_action :remove_redundant_up_location_header
private
def remove_redundant_up_location_header
if request.original_url == response.headers['X-Up-Location']
response.headers.delete('X-Up-Location')
end
end
end
```
cvss_v3: 5.9
patched_versions:
- ">= 2.7.2.2"
related:
url:
- https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16
- https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks
- https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning
- https://tryhexadecimal.com/guides/http/414-request-uri-too-long
- https://unpoly.com/up.protocol