CVE-2022-44566Uncontrolled Resource Consumption in Project Activerecord

CWE-400Uncontrolled Resource Consumption7 documents6 sources
Severity
7.5HIGHNVD
EPSS
2.4%
top 14.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActiverecord Project ActiverecordHttps Github.com Rails Rails
Timeline
PublishedFeb 9

Description

A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDactiverecord_project/activerecord7.0.07.0.4.1+1
RubyGemsactiverecord_project/activerecord7.0.07.0.4.1+1
Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3
CVEListV5https/github.com_rails_rails7.0.4.1, 6.1.7.1

Patches

Patch: discuss.rubyonrails.orgPatch: discuss.rubyonrails.org

🔴Vulnerability Details

4
CVEList
CVE-2022-44566: A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <72023-02-09
OSV
CVE-2022-44566: A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <72023-02-09
GHSA
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter2023-01-18
OSV
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter2023-01-18

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: Denial of Service2023-01-20
Debian
CVE-2022-44566: rails - A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <...2022
CVE-2022-44566 — Uncontrolled Resource Consumption | cvebase