unpoly-rails Gem prior 2.7.2.2 on Ruby Header X-Up-Location resource consumption

Summaryinfo

A vulnerability was found in unpoly-rails Gem on Ruby. It has been declared as problematic. Impacted is an unknown function of the component Header Handler. Such manipulation of the argument X-Up-Location leads to resource consumption. This vulnerability is documented as CVE-2023-28846. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in unpoly-rails Gem on Ruby (Ruby Gem) and classified as problematic. Affected by this issue is some unknown processing of the component Header Handler. The manipulation of the argument X-Up-Location with an unknown input leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. CVE summarizes:

Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.

The weakness was released 03/31/2023 as GHSA-m875-3xf6-mf78. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-28846 since 03/24/2023. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1499.

Upgrading to version 2.7.2.2 eliminates this vulnerability. Applying the patch cd9ad0007daceeb3b2354fdcab4f88350427bf16 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Ruby Gem

Name

• unpoly-rails Gem

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion