GHSA-m875-3xf6-mf78

Suggest an improvement
Source
https://github.com/advisories/GHSA-m875-3xf6-mf78
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-m875-3xf6-mf78/GHSA-m875-3xf6-mf78.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m875-3xf6-mf78
Aliases
Published
2023-03-30T22:58:38Z
Modified
2024-02-22T05:33:05.460959Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
unpoly-rails Denial of Service vulnerability
Details

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.

Impact

This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.

Patches

The fixed release 2.7.2.2+ is available via RubyGems and GitHub.

Workarounds

If you cannot upgrade to a fixed release, several workarounds are available:

  • Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.
  • Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.
  • Instead of changing your server configuration you may also configure your Rails application to delete redundant X-Up-Location headers set by unpoly-rails:
    class ApplicationController < ActionController::Base
    
      after_action :remove_redundant_up_location_header
    
      private
    
      def remove_redundant_up_location_header
        if request.original_url == response.headers['X-Up-Location']
          response.headers.delete('X-Up-Location')
        end
      end
    
    end
    
Database specific
{
    "nvd_published_at": "2023-03-30T20:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-30T22:58:38Z"
}
References

Affected packages

RubyGems / unpoly-rails

Package

Name
unpoly-rails
Purl
pkg:gem/unpoly-rails

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.2.2

Affected versions

0.*

0.20.0
0.21.0
0.22.0
0.22.1
0.23.0
0.24.0
0.24.1
0.25.0
0.25.1
0.25.2
0.26.0
0.26.1
0.26.2
0.27.0
0.27.1
0.27.2
0.27.3
0.28.0
0.28.1
0.29.0
0.30.0
0.30.1
0.31.0
0.31.1
0.31.2
0.32.0
0.33.0
0.34.0
0.34.1
0.34.2
0.35.0
0.35.1
0.35.2
0.36.0
0.36.1
0.36.2
0.37.0
0.50.0
0.50.1
0.50.2
0.51.0
0.51.1
0.52.0
0.53.0
0.53.1
0.53.2
0.53.3
0.53.4
0.54.0
0.54.1
0.55.0
0.55.1
0.56.0
0.56.1
0.56.2
0.56.3
0.56.4
0.56.5
0.56.6
0.56.7
0.57.0
0.60.0
0.60.1
0.60.2
0.60.3
0.61.0
0.61.1
0.62.0
0.62.1

1.*

1.0.0
1.0.1
1.0.3

2.*

2.0.0.pre.rc2
2.0.0.pre.rc3
2.0.0.pre.rc4
2.0.0.pre.rc5
2.0.0.pre.rc6
2.0.0.pre.rc7
2.0.0.pre.rc8
2.0.0.pre.rc9
2.0.0.pre.rc10
2.0.0.pre.rc11
2.0.0
2.0.1
2.1.0
2.2.0.pre.rc1
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.7.1
2.7.1.1
2.7.2
2.7.2.1