Posit has discovered a configuration issue with Posit (formerly RStudio) Connect that can allow open redirects with all versions of Connect including the latest (v.2022.12.0) This issue is tracked via CVE-2022-38131. Customers running Connect v1.7.2 and later can resolve this issue as follows:
/etc/rstudio-connect/rstudio-connect.gcfg file to add
URLNormalizationRedirects = false under the
[Server] section as below:
; SenderEmail is an email address used by RStudio Connect to send outbound
; email. The system will not be able to send administrative email until this
; setting is configured.
; SenderEmail = firstname.lastname@example.org
; Address is a public URL for this RStudio Connect server. Must be configured
; to enable features like including links to your content in emails. If
; Connect is deployed behind an HTTP proxy, this should be the URL for Connect
; in terms of that proxy.
; Address = https://rstudio-connect.company.com
URLNormalizationRedirects = false
Save the file, and restart the
sudo server rstudio-connect restart
This remediation has been confirmed for Connect v.1.7.2 and later. Customers running versions of Connect older than v1.7.2 should upgrade as they are now out of support.