CVE-2021-22880 — Uncontrolled Resource Consumption in Rails

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGHNVD

EPSS

2.6%

top 14.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Https Github.com Rails Rails +1 more

Timeline

PublishedFeb 11

Latest updateMar 2

Description

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶RubyGemsactiverecord_project/activerecord5.0.0 — 5.2.4.5+2

▶NVDrubyonrails/rails4.2.0 — 5.2.4.5+2

▶Debianrubyonrails/rails< 2:6.0.3.5+dfsg-1+3

▶CVEListV5https/github.com_rails_railsFixed in 6.1.2.1, 6.0.3.5, 5.2.4.5

Also affects: Fedora 32, 33

Patches

Patch: discuss.rubyonrails.org ↗Patch: hackerone.com ↗Patch: discuss.rubyonrails.org ↗

🔴Vulnerability Details

OSV

Active Record subject to Regular Expression Denial-of-Service (ReDoS)↗2021-03-02

▶

GHSA

Active Record subject to Regular Expression Denial-of-Service (ReDoS)↗2021-03-02

▶

OSV

CVE-2021-22880: The PostgreSQL adapter in Active Record before 6↗2021-02-11

▶

CVEList

CVE-2021-22880: The PostgreSQL adapter in Active Record before 6↗2021-02-11

▶

📋Vendor Advisories

Red Hat

rubygem-activerecord: crafted input may cause a regular expression DoS↗2021-02-11

▶

Debian

CVE-2021-22880: rails - The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers...↗2021

▶