github - GHSA-8hc4-xxm3-5ppp

GHSA-8HC4-XXM3-5PPP

Vulnerability from github – Published: 2021-03-02 03:44 – Updated: 2023-07-03 22:08

Summary

Active Record subject to Regular Expression Denial-of-Service (ReDoS)

Details

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.4.4"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.3.4"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.1.2.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-02T03:40:01Z",
    "nvd_published_at": "2021-02-11T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.",
  "id": "GHSA-8hc4-xxm3-5ppp",
  "modified": "2023-07-03T22:08:31Z",
  "published": "2021-03-02T03:44:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22880"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1023899"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210805-0009"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4929"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Active Record subject to Regular Expression Denial-of-Service (ReDoS)"
}

GSD-2021-22880

Vulnerability from gsd - Updated: 2021-02-10 00:00

Details

There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880. Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5 Impact ------ Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. Workarounds ----------- In the case a patch can't be applied, the following monkey patch can be used in an initializer: ``` module ActiveRecord module ConnectionAdapters module PostgreSQL module OID # :nodoc: class Money < Type::Decimal # :nodoc: def cast_value(value) return value unless ::String === value value = value.sub(/^$(.+)$$/, '-\1') # (4) case value when /^-?\D*+[\d,]+\.\d{2}$/ # (1) value.gsub!(/[^-\d.]/, "") when /^-?\D*+[\d.]+,\d{2}$/ # (2) value.gsub!(/[^-\d,]/, "").sub!(/,/, ".") end super(value) end end end end end end ```

Aliases

CVE-2021-22880

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-22880",
    "description": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.",
    "id": "GSD-2021-22880",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-22880.html",
      "https://www.debian.org/security/2021/dsa-4929"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "activerecord",
            "purl": "pkg:gem/activerecord"
          }
        }
      ],
      "aliases": [
        "CVE-2021-22880",
        "GHSA-8hc4-xxm3-5ppp"
      ],
      "details": "There is a possible DoS vulnerability in the PostgreSQL adapter in Active\nRecord. This vulnerability has been assigned the CVE identifier CVE-2021-22880.\n\nVersions Affected:  \u003e= 4.2.0\nNot affected:       \u003c 4.2.0\nFixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5\n\nImpact\n------\nCarefully crafted input can cause the input validation in the \"money\" type of\nthe PostgreSQL adapter in Active Record to spend too much time in a regular\nexpression, resulting in the potential for a DoS attack.\n\nThis only impacts Rails applications that are using PostgreSQL along with\nmoney type columns that take user input.\n\nWorkarounds\n-----------\nIn the case a patch can\u0027t be applied, the following monkey patch can be used\nin an initializer:\n\n```\nmodule ActiveRecord\n  module ConnectionAdapters\n    module PostgreSQL\n      module OID # :nodoc:\n        class Money \u003c Type::Decimal # :nodoc:\n          def cast_value(value)\n            return value unless ::String === value\n\n            value = value.sub(/^\\((.+)\\)$/, \u0027-\\1\u0027) # (4)\n            case value\n            when /^-?\\D*+[\\d,]+\\.\\d{2}$/  # (1)\n              value.gsub!(/[^-\\d.]/, \"\")\n            when /^-?\\D*+[\\d.]+,\\d{2}$/  # (2)\n              value.gsub!(/[^-\\d,]/, \"\").sub!(/,/, \".\")\n            end\n\n            super(value)\n          end\n        end\n      end\n    end\n  end\nend\n```\n",
      "id": "GSD-2021-22880",
      "modified": "2021-02-10T00:00:00.000Z",
      "published": "2021-02-10T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Possible DoS Vulnerability in Active Record PostgreSQL adapter"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2021-22880",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Fixed in 6.1.2.1, 6.0.3.5, 5.2.4.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (CWE-400)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/1023899",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1023899"
          },
          {
            "name": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129",
            "refsource": "MISC",
            "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
          },
          {
            "name": "FEDORA-2021-b571fca1b8",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
          },
          {
            "name": "FEDORA-2021-def0e32233",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
          },
          {
            "name": "DSA-4929",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2021/dsa-4929"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210805-0009/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-22880",
      "cvss_v3": 5.3,
      "date": "2021-02-10",
      "description": "There is a possible DoS vulnerability in the PostgreSQL adapter in Active\nRecord. This vulnerability has been assigned the CVE identifier CVE-2021-22880.\n\nVersions Affected:  \u003e= 4.2.0\nNot affected:       \u003c 4.2.0\nFixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5\n\nImpact\n------\nCarefully crafted input can cause the input validation in the \"money\" type of\nthe PostgreSQL adapter in Active Record to spend too much time in a regular\nexpression, resulting in the potential for a DoS attack.\n\nThis only impacts Rails applications that are using PostgreSQL along with\nmoney type columns that take user input.\n\nWorkarounds\n-----------\nIn the case a patch can\u0027t be applied, the following monkey patch can be used\nin an initializer:\n\n```\nmodule ActiveRecord\n  module ConnectionAdapters\n    module PostgreSQL\n      module OID # :nodoc:\n        class Money \u003c Type::Decimal # :nodoc:\n          def cast_value(value)\n            return value unless ::String === value\n\n            value = value.sub(/^\\((.+)\\)$/, \u0027-\\1\u0027) # (4)\n            case value\n            when /^-?\\D*+[\\d,]+\\.\\d{2}$/  # (1)\n              value.gsub!(/[^-\\d.]/, \"\")\n            when /^-?\\D*+[\\d.]+,\\d{2}$/  # (2)\n              value.gsub!(/[^-\\d,]/, \"\").sub!(/,/, \".\")\n            end\n\n            super(value)\n          end\n        end\n      end\n    end\n  end\nend\n```\n",
      "framework": "rails",
      "gem": "activerecord",
      "ghsa": "8hc4-xxm3-5ppp",
      "patched_versions": [
        "~\u003e 5.2.4, \u003e= 5.2.4.5",
        "~\u003e 6.0.3, \u003e= 6.0.3.5",
        "\u003e= 6.1.2.1"
      ],
      "title": "Possible DoS Vulnerability in Active Record PostgreSQL adapter",
      "unaffected_versions": [
        "\u003c 4.2.0"
      ],
      "url": "https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=4.2.0 \u003c5.2.4.5||\u003e=6.0.0 \u003c6.0.3.5||\u003e=6.1.0 \u003c6.1.2.1",
          "affected_versions": "All versions starting from 4.2.0 before 5.2.4.5, all versions starting from 6.0.0 before 6.0.3.5, all versions starting from 6.1.0 before 6.1.2.1, all versions starting from 32 up to 33",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2021-08-05",
          "description": "The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.",
          "fixed_versions": [
            "5.2.4.5",
            "6.0.3.5",
            "6.1.2.1"
          ],
          "identifier": "CVE-2021-22880",
          "identifiers": [
            "CVE-2021-22880"
          ],
          "not_impacted": "All versions before 4.2.0, all versions starting from 5.2.4.5 before 6.0.0, all versions starting from 6.0.3.5 before 6.1.0, all versions starting from 6.1.2.1 before 32, all versions after 33",
          "package_slug": "gem/activerecord",
          "pubdate": "2021-02-11",
          "solution": "Upgrade to versions 5.2.4.5, 6.0.3.5, 6.1.2.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-22880",
            "https://hackerone.com/reports/1023899",
            "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/",
            "https://www.debian.org/security/2021/dsa-4929",
            "https://security.netapp.com/advisory/ntap-20210805-0009/"
          ],
          "uuid": "780c63f4-18fd-49af-8aa6-4d68dac71c3d"
        },
        {
          "affected_range": "\u003e=4.2.0 \u003c5.2.4.5||\u003e=6.0.0 \u003c6.0.3.5||\u003e=6.1.0 \u003c6.1.2.1",
          "affected_versions": "All versions starting from 4.2.0 before 5.2.4.5, all versions starting from 6.0.0 before 6.0.3.5, all versions starting from 6.1.0 before 6.1.2.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2022-01-04",
          "description": "The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.",
          "fixed_versions": [
            "5.2.4.5",
            "6.0.3.5",
            "6.1.2.1"
          ],
          "identifier": "CVE-2021-22880",
          "identifiers": [
            "CVE-2021-22880"
          ],
          "not_impacted": "All versions before 4.2.0, all versions starting from 5.2.4.5 before 6.0.0, all versions starting from 6.0.3.5 before 6.1.0, all versions starting from 6.1.2.1",
          "package_slug": "gem/rails",
          "pubdate": "2021-02-11",
          "solution": "Upgrade to versions 5.2.4.5, 6.0.3.5, 6.1.2.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-22880",
            "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
          ],
          "uuid": "f9ac0d91-655f-4f1e-aa9d-f90acf30b097"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.4.5",
                "versionStartIncluding": "4.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.3.5",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.1.2.1",
                "versionStartIncluding": "6.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2021-22880"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1023899",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/1023899"
            },
            {
              "name": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
            },
            {
              "name": "FEDORA-2021-b571fca1b8",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
            },
            {
              "name": "FEDORA-2021-def0e32233",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
            },
            {
              "name": "DSA-4929",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4929"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210805-0009/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-01-04T16:38Z",
      "publishedDate": "2021-02-11T18:15Z"
    }
  }
}

CVE-2021-22880 (GCVE-0-2021-22880)

Vulnerability from cvelistv5 – Published: 2021-02-11 16:11 – Updated: 2024-08-03 18:58

Summary

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

Tags

	https://hackerone.com/reports/1023899	x_refsource_MISC
	https://discuss.rubyonrails.org/t/cve-2021-22880-…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.debian.org/security/2021/dsa-4929	vendor-advisoryx_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-2021080…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/rails/rails	Affected: Fixed in 6.1.2.1, 6.0.3.5, 5.2.4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:58:24.778Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1023899"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
          },
          {
            "name": "FEDORA-2021-b571fca1b8",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
          },
          {
            "name": "FEDORA-2021-def0e32233",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
          },
          {
            "name": "DSA-4929",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4929"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 6.1.2.1, 6.0.3.5, 5.2.4.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Denial of Service (CWE-400)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-05T11:07:11",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1023899"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
        },
        {
          "name": "FEDORA-2021-b571fca1b8",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
        },
        {
          "name": "FEDORA-2021-def0e32233",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
        },
        {
          "name": "DSA-4929",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4929"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2021-22880",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 6.1.2.1, 6.0.3.5, 5.2.4.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (CWE-400)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1023899",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1023899"
            },
            {
              "name": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129",
              "refsource": "MISC",
              "url": "https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"
            },
            {
              "name": "FEDORA-2021-b571fca1b8",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"
            },
            {
              "name": "FEDORA-2021-def0e32233",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"
            },
            {
              "name": "DSA-4929",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4929"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210805-0009/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210805-0009/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2021-22880",
    "datePublished": "2021-02-11T16:11:22",
    "dateReserved": "2021-01-06T00:00:00",
    "dateUpdated": "2024-08-03T18:58:24.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-8HC4-XXM3-5PPP

GSD-2021-22880

CVE-2021-22880 (GCVE-0-2021-22880)

Tags

Sightings

Nomenclature