CVE-2021-22880: Input Validation
First published: Thu Feb 11 2021(Updated: )
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/rails | 2:5.2.2.1+dfsg-1+deb10u3 2:5.2.2.1+dfsg-1+deb10u5 2:6.0.3.7+dfsg-2+deb11u2 2:6.1.7.3+dfsg-1 2:6.1.7.3+dfsg-2 | |
| Rubyonrails Rails | >=4.2.0<5.2.4.5 | |
| Rubyonrails Rails | >=6.0.0<6.0.3.5 | |
| Rubyonrails Rails | >=6.1.0<6.1.2.1 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
- https://hackerone.com/reports/1023899
- https://github.com/rails/rails/commit/eddda4d8fb6b6508e11196b14494ceac37b57339
- https://github.com/rails/rails/commit/879d02107b5b3eb7aeaad1cd1f259bb41f17286b
- https://github.com/rails/rails/commit/bf0ef9df1793046241c26b3fb92fac551d1628b4
- https://security-tracker.debian.org/tracker/CVE-2021-22880
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
- https://security.netapp.com/advisory/ntap-20210805-0009/
- https://www.debian.org/security/2021/dsa-4929
Frequently Asked Questions
What is CVE-2021-22880?
CVE-2021-22880 is a regular expression denial of service (REDoS) vulnerability in the PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5.
What is the severity of CVE-2021-22880?
CVE-2021-22880 has a severity score of 7.5 (high).
Which software versions are affected by CVE-2021-22880?
CVE-2021-22880 affects Rails versions 5.2.4.5, 6.0.3.5, 6.1.2.1, and earlier.
How can I fix the CVE-2021-22880 vulnerability?
To fix the CVE-2021-22880 vulnerability, upgrade to Active Record versions 5.2.2.1+dfsg-1+deb10u3, 6.0.3.7+dfsg-2+deb11u2, 6.1.7.3+dfsg-1, or 6.1.7.3+dfsg-2.
Where can I find more information about CVE-2021-22880?
You can find more information about CVE-2021-22880 at the following references: [link1](https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129), [link2](https://hackerone.com/reports/1023899), [link3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/).
- collector/security-tracker-debian
- collector/nvd-index
- package-manager/debian
- vendor/rubyonrails
- canonical/rubyonrails rails
- version/rubyonrails rails/4.2.0
- version/rubyonrails rails/6.0.0
- version/rubyonrails rails/6.1.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33