Posit has discovered a configuration issue with Posit (formerly RStudio) Connect that can allow open redirects with all versions of Connect including the latest (v.2022.12.0) This issue is tracked via CVE-2022-38131. Customers running Connect v1.7.2 and later can resolve this issue as follows:
Edit the /etc/rstudio-connect/rstudio-connect.gcfg
file to add URLNormalizationRedirects = false
under the [Server]
section as below:
[Server]
; SenderEmail is an email address used by RStudio Connect to
send outbound
; email. The system will not be able to send administrative email until this
; setting is configured.
;
; SenderEmail = account@company.com
; Address is a public URL for this RStudio Connect server. Must be configured
; to enable features like including links to your content in emails. If
; Connect is deployed behind an HTTP proxy, this should be the URL for Connect
; in terms of that proxy.
;
; Address = https://rstudio-connect.company.com
URLNormalizationRedirects = false
Save the file, and restart the rstudio-connect
service:
sudo server rstudio-connect restart
This remediation has been confirmed for Connect v.1.7.2 and later. Customers running versions of Connect older than v1.7.2 should upgrade as they are now out of support.
Comments