CVE-2022-38131 configuration issue in Posit Connect


Posit has discovered a configuration issue with Posit (formerly RStudio) Connect that can allow open redirects with all versions of Connect including the latest (v.2022.12.0) This issue is tracked via CVE-2022-38131. Customers running Connect v1.7.2 and later can resolve this issue as follows:

Edit the /etc/rstudio-connect/rstudio-connect.gcfg file to add URLNormalizationRedirects = false under the [Server] section as below:

; SenderEmail is an email address used by RStudio Connect to send outbound
; email. The system will not be able to send administrative email until this
; setting is configured.
; SenderEmail =

; Address is a public URL for this RStudio Connect server. Must be configured
; to enable features like including links to your content in emails. If
; Connect is deployed behind an HTTP proxy, this should be the URL for Connect
; in terms of that proxy.
; Address =

URLNormalizationRedirects = false

Save the file, and restart the rstudio-connect service:

sudo server rstudio-connect restart

This remediation has been confirmed for Connect v.1.7.2 and later. Customers running versions of Connect older than v1.7.2 should upgrade as they are now out of support.