CVE-2021-22880

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-22880
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-22880
Aliases
Related
Published
2021-02-11T18:15:17Z
Modified
2024-10-11T09:41:25Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

References

Affected packages

Debian:11 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.0.3.5+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.0.3.5+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.0.3.5+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events