High severityNVD Advisory· Published Feb 11, 2021· Updated Aug 3, 2024
CVE-2021-22880
CVE-2021-22880
Description
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 5.0.0, < 5.2.4.5 | 5.2.4.5 |
activerecordRubyGems | >= 6.0.0, < 6.0.3.5 | 6.0.3.5 |
activerecordRubyGems | >= 6.1.0, < 6.1.2.1 | 6.1.2.1 |
Affected products
11- Active Record/Active Recorddescription
- ghsa-coords10 versionspkg:gem/activerecordpkg:rpm/opensuse/rubygem-activerecord-5_1&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/rubygem-activerecord-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-activerecord-6.0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-activerecord-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-activerecord-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3
>= 5.0.0, < 5.2.4.5+ 9 more
- (no CPE)range: >= 5.0.0, < 5.2.4.5
- (no CPE)range: < 5.1.4-lp152.4.3.1
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 6.0.4.4-1.1
- (no CPE)range: < 4.2.9-6.6.1
- (no CPE)range: < 4.2.9-6.6.1
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
- (no CPE)range: < 5.1.4-5.3.3
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-8hc4-xxm3-5pppghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-22880ghsaADVISORY
- www.debian.org/security/2021/dsa-4929ghsavendor-advisoryx_refsource_DEBIANWEB
- discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhIghsaWEB
- hackerone.com/reports/1023899ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.