GHSA-m875-3xf6-mf78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m875-3xf6-mf78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-m875-3xf6-mf78/GHSA-m875-3xf6-mf78.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-m875-3xf6-mf78
- Aliases
- Published
- 2023-03-30T22:58:38Z
- Modified
- 2024-02-22T05:56:31.602592Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- unpoly-rails Denial of Service vulnerability
- Details
-
There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.
Impact
This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.
The unpoly-rails gem echoes the request URL as an
X-Up-Locationresponse header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.
Patches
The fixed release 2.7.2.2+ is available via RubyGems and GitHub.
Workarounds
If you cannot upgrade to a fixed release, several workarounds are available:
- Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.
- Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.
- Instead of changing your server configuration you may also configure your Rails application to delete redundant
X-Up-Locationheaders set by unpoly-rails:class ApplicationController < ActionController::Base after_action :remove_redundant_up_location_header private def remove_redundant_up_location_header if request.original_url == response.headers['X-Up-Location'] response.headers.delete('X-Up-Location') end end end
- Database specific
{ "nvd_published_at": "2023-03-30T20:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2023-03-30T22:58:38Z", "severity": "MODERATE" }- References
-
- https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78
- https://nvd.nist.gov/vuln/detail/CVE-2023-28846
- https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16
- https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/unpoly-rails/CVE-2023-28846.yml
- https://github.com/unpoly/unpoly-rails
- https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning
- https://tryhexadecimal.com/guides/http/414-request-uri-too-long
- https://unpoly.com/up.protocol
Affected packages
RubyGems / unpoly-rails
Package
- Name
- unpoly-rails
- Purl
- pkg:gem/unpoly-rails
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.2.2