Home > Vulnerability Database > CVE-2021-22880

Mend.io Vulnerability Database

CVE-2021-22880

Good to know:

Date: February 11, 2021

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Language: Ruby

Severity Score

7.5

Related Resources (15)

Url: https://security-tracker.debian.org/tracker/CVE-2021-22880

Url: https://security.netapp.com/advisory/ntap-20210805-0009

Url: https://security.netapp.com/advisory/ntap-20210805-0009/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH

Url: https://github.com/rails/rails

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-22880

Url: https://www.debian.org/security/2021/dsa-4929

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

Url: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Url: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129

Url: https://hackerone.com/reports/1023899

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml

Url: https://www.mend.io/vulnerability-database/CVE-2021-22880

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version activerecord - 6.1.2.1;activerecord - 5.2.4.5;activerecord - 6.0.3.5

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-22880

Good to know:

Date: February 11, 2021

Language: Ruby

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?