GHSA-8hc4-xxm3-5ppp

Source

https://github.com/advisories/GHSA-8hc4-xxm3-5ppp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-8hc4-xxm3-5ppp/GHSA-8hc4-xxm3-5ppp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8hc4-xxm3-5ppp

Aliases

CVE-2021-22880

Published

2021-03-02T03:44:14Z

Modified

2024-02-20T05:34:20.856718Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Active Record subject to Regular Expression Denial-of-Service (ReDoS)

Details

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

References

Affected packages

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.2.4.5

Affected versions

5.*

5.0.0

5.0.0.1

5.0.1.rc1

5.0.1.rc2

5.0.1

5.0.2.rc1

5.0.2

5.0.3

5.0.4.rc1

5.0.4

5.0.5.rc1

5.0.5.rc2

5.0.5

5.0.6.rc1

5.0.6

5.0.7

5.0.7.1

5.0.7.2

5.1.0.beta1

5.1.0.rc1

5.1.0.rc2

5.1.0

5.1.1

5.1.2.rc1

5.1.2

5.1.3.rc1

5.1.3.rc2

5.1.3.rc3

5.1.3

5.1.4.rc1

5.1.4

5.1.5.rc1

5.1.5

5.1.6

5.1.6.1

5.1.6.2

5.1.7.rc1

5.1.7

5.2.0.beta1

5.2.0.beta2

5.2.0.rc1

5.2.0.rc2

5.2.0

5.2.1.rc1

5.2.1

5.2.1.1

5.2.2.rc1

5.2.2

5.2.2.1

5.2.3.rc1

5.2.3

5.2.4.rc1

5.2.4

5.2.4.1

5.2.4.2

5.2.4.3

5.2.4.4

Database specific

{
    "last_known_affected_version_range": "<= 5.2.4.4"
}

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.3.5

Affected versions

6.*

6.0.0

6.0.1.rc1

6.0.1

6.0.2.rc1

6.0.2.rc2

6.0.2

6.0.2.1

6.0.2.2

6.0.3.rc1

6.0.3

6.0.3.1

6.0.3.2

6.0.3.3

6.0.3.4

Database specific

{
    "last_known_affected_version_range": "<= 6.0.3.4"
}

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.2.1

Affected versions

6.*

6.1.0

6.1.1

6.1.2

Database specific

{
    "last_known_affected_version_range": "<= 6.1.2.0"
}