Vulnerability-Lookup

CVE-2023-28846 (GCVE-0-2023-28846)

Vulnerability from cvelistv5 – Published: 2023-03-30 19:57 – Updated: 2025-02-11 18:46

Title

Denial of Service in unpoly-rails

Summary

Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/unpoly/unpoly-rails/security/a…	x_refsource_CONFIRM
	https://github.com/unpoly/unpoly-rails/commit/cd9…	x_refsource_MISC
	https://docs.nginx.com/nginx/admin-guide/load-bal…	x_refsource_MISC
	https://github.com/unpoly/unpoly-rails/	x_refsource_MISC
	https://makandracards.com/operations/537537-nginx…	x_refsource_MISC
	https://tryhexadecimal.com/guides/http/414-reques…	x_refsource_MISC
	https://unpoly.com/up.protocol	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	unpoly	unpoly-rails	Affected: < 2.7.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T13:51:38.695Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
          },
          {
            "name": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
          },
          {
            "name": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
          },
          {
            "name": "https://github.com/unpoly/unpoly-rails/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/unpoly/unpoly-rails/"
          },
          {
            "name": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
          },
          {
            "name": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
          },
          {
            "name": "https://unpoly.com/up.protocol",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://unpoly.com/up.protocol"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T18:46:12.608525Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T18:46:42.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "unpoly-rails",
          "vendor": "unpoly",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.7.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.  If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-30T19:57:38.767Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
        },
        {
          "name": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
        },
        {
          "name": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
        },
        {
          "name": "https://github.com/unpoly/unpoly-rails/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/unpoly/unpoly-rails/"
        },
        {
          "name": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
        },
        {
          "name": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
        },
        {
          "name": "https://unpoly.com/up.protocol",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://unpoly.com/up.protocol"
        }
      ],
      "source": {
        "advisory": "GHSA-m875-3xf6-mf78",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service in unpoly-rails"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28846",
    "datePublished": "2023-03-30T19:57:38.767Z",
    "dateReserved": "2023-03-24T16:25:34.466Z",
    "dateUpdated": "2025-02-11T18:46:42.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-28846",
      "date": "2026-05-05",
      "epss": "0.015",
      "percentile": "0.81222"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:unpoly:unpoly-rails:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.7.2.2\", \"matchCriteriaId\": \"5C96F0D3-A1B4-496C-802A-F86FDCFC8B7D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.  If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.\\n\"}]",
      "id": "CVE-2023-28846",
      "lastModified": "2024-11-21T07:56:08.807",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-03-30T20:15:07.780",
      "references": "[{\"url\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Technical Description\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://unpoly.com/up.protocol\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Technical Description\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://unpoly.com/up.protocol\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28846\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-30T20:15:07.780\",\"lastModified\":\"2024-11-21T07:56:08.807\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.  If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:unpoly:unpoly-rails:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.2.2\",\"matchCriteriaId\":\"5C96F0D3-A1B4-496C-802A-F86FDCFC8B7D\"}]}]}],\"references\":[{\"url\":\"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://unpoly.com/up.protocol\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://unpoly.com/up.protocol\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"name\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"name\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"name\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/\", \"name\": \"https://github.com/unpoly/unpoly-rails/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"name\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"name\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://unpoly.com/up.protocol\", \"name\": \"https://unpoly.com/up.protocol\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T13:51:38.695Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28846\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-11T18:46:12.608525Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-11T18:45:56.732Z\"}}], \"cna\": {\"title\": \"Denial of Service in unpoly-rails\", \"source\": {\"advisory\": \"GHSA-m875-3xf6-mf78\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"unpoly\", \"product\": \"unpoly-rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.7.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"name\": \"https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"name\": \"https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"name\": \"https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/unpoly/unpoly-rails/\", \"name\": \"https://github.com/unpoly/unpoly-rails/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"name\": \"https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"name\": \"https://tryhexadecimal.com/guides/http/414-request-uri-too-long\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://unpoly.com/up.protocol\", \"name\": \"https://unpoly.com/up.protocol\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.  If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-30T19:57:38.767Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-28846\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-11T18:46:42.157Z\", \"dateReserved\": \"2023-03-24T16:25:34.466Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-30T19:57:38.767Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-28846

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-28846

Aliases

CVE-2023-28846

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28846",
    "id": "GSD-2023-28846"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28846"
      ],
      "details": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.",
      "id": "GSD-2023-28846",
      "modified": "2023-12-13T01:20:48.506095Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28846",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "unpoly-rails",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.7.2.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "unpoly"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78",
            "refsource": "MISC",
            "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
          },
          {
            "name": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16",
            "refsource": "MISC",
            "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
          },
          {
            "name": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks",
            "refsource": "MISC",
            "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
          },
          {
            "name": "https://github.com/unpoly/unpoly-rails/",
            "refsource": "MISC",
            "url": "https://github.com/unpoly/unpoly-rails/"
          },
          {
            "name": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning",
            "refsource": "MISC",
            "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
          },
          {
            "name": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long",
            "refsource": "MISC",
            "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
          },
          {
            "name": "https://unpoly.com/up.protocol",
            "refsource": "MISC",
            "url": "https://unpoly.com/up.protocol"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-m875-3xf6-mf78",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.7.2.2",
          "affected_versions": "All versions before 2.7.2.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-04-07",
          "description": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.",
          "fixed_versions": [
            "2.7.2.2"
          ],
          "identifier": "CVE-2023-28846",
          "identifiers": [
            "CVE-2023-28846",
            "GHSA-m875-3xf6-mf78"
          ],
          "not_impacted": "All versions starting from 2.7.2.2",
          "package_slug": "gem/unpoly-rails",
          "pubdate": "2023-03-30",
          "solution": "Upgrade to version 2.7.2.2 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-28846",
            "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16",
            "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks",
            "https://github.com/unpoly/unpoly-rails/",
            "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning",
            "https://tryhexadecimal.com/guides/http/414-request-uri-too-long",
            "https://unpoly.com/up.protocol",
            "https://github.com/advisories/GHSA-m875-3xf6-mf78"
          ],
          "uuid": "e75bcbe4-b1df-4bd1-956a-6e9623f18997"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:unpoly:unpoly-rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.2.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28846"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/unpoly/unpoly-rails/",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/unpoly/unpoly-rails/"
            },
            {
              "name": "https://unpoly.com/up.protocol",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://unpoly.com/up.protocol"
            },
            {
              "name": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
            },
            {
              "name": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks",
              "refsource": "MISC",
              "tags": [
                "Technical Description"
              ],
              "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
            },
            {
              "name": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
            },
            {
              "name": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
            },
            {
              "name": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-04-07T18:28Z",
      "publishedDate": "2023-03-30T20:15Z"
    }
  }
}

FKIE_CVE-2023-28846

Vulnerability from fkie_nvd - Published: 2023-03-30 20:15 - Updated: 2024-11-21 07:56

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks	Technical Description
security-advisories@github.com	https://github.com/unpoly/unpoly-rails/	Product
security-advisories@github.com	https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78	Vendor Advisory
security-advisories@github.com	https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning	Third Party Advisory
security-advisories@github.com	https://tryhexadecimal.com/guides/http/414-request-uri-too-long	Third Party Advisory
security-advisories@github.com	https://unpoly.com/up.protocol	Product
af854a3a-2127-422b-91ae-364da2661108	https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks	Technical Description
af854a3a-2127-422b-91ae-364da2661108	https://github.com/unpoly/unpoly-rails/	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://tryhexadecimal.com/guides/http/414-request-uri-too-long	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://unpoly.com/up.protocol	Product

Impacted products

	Vendor	Product	Version
	unpoly	unpoly-rails	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:unpoly:unpoly-rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C96F0D3-A1B4-496C-802A-F86FDCFC8B7D",
              "versionEndExcluding": "2.7.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.  If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds. This issue has been fixed and released as version 2.7.2.2 which is available via RubyGems and GitHub. Users unable to upgrade may: Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness; Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL; or instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails.\n"
    }
  ],
  "id": "CVE-2023-28846",
  "lastModified": "2024-11-21T07:56:08.807",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-30T20:15:07.780",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://unpoly.com/up.protocol"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description"
      ],
      "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://unpoly.com/up.protocol"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

BDU:2023-02045

Vulnerability from fstec - Published: 30.03.2023

Title

Уязвимость JavaScript-фреймворка для серверных веб-приложений Unpoly, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость JavaScript-фреймворка для серверных веб-приложений Unpoly связана с неконтролируемым расходом ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

Unpoly

Software Name

Unpoly

Software Version

до 2.7.2.2 (Unpoly)

Possible Mitigations

Использование рекомендаций: https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks https://github.com/unpoly/unpoly-rails/

Reference

https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks https://github.com/unpoly/unpoly-rails/

CWE

CWE-400

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Unpoly",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.7.2.2 (Unpoly)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks \nhttps://github.com/unpoly/unpoly-rails/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "30.03.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.04.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.04.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-02045",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-28846",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Unpoly",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c JavaScript-\u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u0445 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Unpoly, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u0440\u0430\u0441\u0445\u043e\u0434\u043e\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0440\u0430\u0441\u0445\u043e\u0434 \u0440\u0435\u0441\u0443\u0440\u0441\u0430 (\u00ab\u0418\u0441\u0442\u043e\u0449\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u00bb) (CWE-400)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c JavaScript-\u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u0445 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Unpoly \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u0440\u0430\u0441\u0445\u043e\u0434\u043e\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks \nhttps://github.com/unpoly/unpoly-rails/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-400",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

GHSA-M875-3XF6-MF78

Vulnerability from github – Published: 2023-03-30 22:58 – Updated: 2023-04-07 22:54

Summary

unpoly-rails Denial of Service vulnerability

Details

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.

Impact

This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.

Patches

The fixed release 2.7.2.2+ is available via RubyGems and GitHub.

Workarounds

If you cannot upgrade to a fixed release, several workarounds are available:

Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.
Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.
Instead of changing your server configuration you may also configure your Rails application to delete redundant X-Up-Location headers set by unpoly-rails:

```ruby class ApplicationController < ActionController::Base

after_action :remove_redundant_up_location_header

private

def remove_redundant_up_location_header
  if request.original_url == response.headers['X-Up-Location']
    response.headers.delete('X-Up-Location')
  end
end

end ```

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "unpoly-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-30T22:58:38Z",
    "nvd_published_at": "2023-03-30T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the [Unpoly server protocol](https://unpoly.com/up.protocol) for Rails applications.\n\n### Impact\n\nThis issues affects Rails applications that operate as an upstream of a load balancer\u0027s that uses [passive health checks](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks).\n\nThe [unpoly-rails](https://github.com/unpoly/unpoly-rails/) gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.\n\nIf the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.\n\n\n### Patches\n\nThe fixed release 2.7.2.2+ is available via RubyGems and GitHub.\n\n\n### Workarounds\n\nIf you cannot upgrade to a fixed release, several workarounds are available:\n\n- Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.\n- Configure your load balancer so the [maximum size of response headers](https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning) is at least twice the [maximum size of a URL](https://tryhexadecimal.com/guides/http/414-request-uri-too-long).\n- Instead of changing your server configuration you may also configure your Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails:\n  \n  ```ruby\n  class ApplicationController \u003c ActionController::Base\n  \n    after_action :remove_redundant_up_location_header\n    \n    private\n    \n    def remove_redundant_up_location_header\n      if request.original_url == response.headers[\u0027X-Up-Location\u0027]\n        response.headers.delete(\u0027X-Up-Location\u0027)\n      end\n    end\n  \n  end\n  ```",
  "id": "GHSA-m875-3xf6-mf78",
  "modified": "2023-04-07T22:54:15Z",
  "published": "2023-03-30T22:58:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unpoly/unpoly-rails/security/advisories/GHSA-m875-3xf6-mf78"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unpoly/unpoly-rails/commit/cd9ad0007daceeb3b2354fdcab4f88350427bf16"
    },
    {
      "type": "WEB",
      "url": "https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/unpoly-rails/CVE-2023-28846.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unpoly/unpoly-rails"
    },
    {
      "type": "WEB",
      "url": "https://makandracards.com/operations/537537-nginx-proxy-buffer-tuning"
    },
    {
      "type": "WEB",
      "url": "https://tryhexadecimal.com/guides/http/414-request-uri-too-long"
    },
    {
      "type": "WEB",
      "url": "https://unpoly.com/up.protocol"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "unpoly-rails Denial of Service vulnerability"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-28846 (GCVE-0-2023-28846)

GSD-2023-28846

FKIE_CVE-2023-28846

BDU:2023-02045

GHSA-M875-3XF6-MF78

Impact

Patches

Workarounds

Tags

Sightings

Nomenclature