CVE-2021-22880

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type

GIT

Repo

https://github.com/rails/rails

Events

Introduced

7847a19f476fb9bee287681586d872ea43785e53

Fixed

dc7364b1f39cf2fa3c3af3ea0f239f9ae1b5a790

Introduced

66cabeda2c46c582d19738e1318be8d59584cc5b

Fixed

c5929d5eb55b749bc124b3ccc2d79323d015701f

Introduced

914caca2d31bd753f47f9168f2a375921d9e91cc

Fixed

130c128eae233bf71231c73b9c3c3b3f3ede918b

Database specific

{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "5.2.4.5"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.3.5"
        },
        {
            "introduced": "6.1.0"
        },
        {
            "fixed": "6.1.2.1"
        }
    ]
}

Affected versions

v6.*

v6.0.0

v6.0.1.rc1

v6.0.2

v6.0.2.1

v6.0.2.2

v6.0.2.rc1

v6.0.2.rc2

v6.0.3

v6.0.3.1

v6.0.3.2

v6.0.3.3

v6.0.3.4

v6.0.3.rc1

v6.1.0

v6.1.1

v6.1.2

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22880.json"