Skip to content

unpoly-rails Denial of Service vulnerability

Moderate severity GitHub Reviewed Published Mar 30, 2023 in unpoly/unpoly-rails • Updated Apr 7, 2023

Package

bundler unpoly-rails (RubyGems)

Affected versions

< 2.7.2.2

Patched versions

2.7.2.2

Description

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.

Impact

This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.

Patches

The fixed release 2.7.2.2+ is available via RubyGems and GitHub.

Workarounds

If you cannot upgrade to a fixed release, several workarounds are available:

  • Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.

  • Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.

  • Instead of changing your server configuration you may also configure your Rails application to delete redundant X-Up-Location headers set by unpoly-rails:

    class ApplicationController < ActionController::Base
    
      after_action :remove_redundant_up_location_header
      
      private
      
      def remove_redundant_up_location_header
        if request.original_url == response.headers['X-Up-Location']
          response.headers.delete('X-Up-Location')
        end
      end
    
    end

References

@triskweline triskweline published to unpoly/unpoly-rails Mar 30, 2023
Published by the National Vulnerability Database Mar 30, 2023
Published to the GitHub Advisory Database Mar 30, 2023
Reviewed Mar 30, 2023
Last updated Apr 7, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

0.419%
(75th percentile)

Weaknesses

CVE ID

CVE-2023-28846

GHSA ID

GHSA-m875-3xf6-mf78

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.