Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tODc1LTN4ZjYtbWY3OM4AAyeB

unpoly-rails Denial of Service vulnerability

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.

Impact

This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.

Patches

The fixed release 2.7.2.2+ is available via RubyGems and GitHub.

Workarounds

If you cannot upgrade to a fixed release, several workarounds are available:

Permalink: https://github.com/advisories/GHSA-m875-3xf6-mf78
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tODc1LTN4ZjYtbWY3OM4AAyeB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-m875-3xf6-mf78, CVE-2023-28846
References: Repository: https://github.com/unpoly/unpoly-rails
Blast Radius: 6.1

Affected Packages

rubygems:unpoly-rails
Dependent packages: 0
Dependent repositories: 11
Downloads: 258,290 total
Affected Version Ranges: < 2.7.2.2
Fixed in: 2.7.2.2
All affected versions:
All unaffected versions: 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.28.1, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.33.0, 0.34.0, 0.34.1, 0.34.2, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.36.1, 0.36.2, 0.37.0, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.51.1, 0.52.0, 0.53.0, 0.53.1, 0.53.2, 0.53.3, 0.53.4, 0.54.0, 0.54.1, 0.55.0, 0.55.1, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.56.4, 0.56.5, 0.56.6, 0.56.7, 0.57.0, 0.60.0, 0.60.1, 0.60.2, 0.60.3, 0.61.0, 0.61.1, 0.62.0, 0.62.1, 1.0.0, 1.0.1, 1.0.3, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.7.1, 2.7.2, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0