CVE-2021-22880

Опубликовано: 11 фев. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Ссылки

https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
Mitigation
Patch
Vendor Advisory
https://hackerone.com/reports/1023899
Exploit
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
https://security.netapp.com/advisory/ntap-20210805-0009/
Third Party Advisory
https://www.debian.org/security/2021/dsa-4929
Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
Mitigation
Patch
Vendor Advisory
https://hackerone.com/reports/1023899
Exploit
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
https://security.netapp.com/advisory/ntap-20210805-0009/
Third Party Advisory
https://www.debian.org/security/2021/dsa-4929
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 4.2.0 (включая) до 5.2.4.5 (исключая)

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 6.0.0 (включая) до 6.0.3.5 (исключая)

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 6.1.0 (включая) до 6.1.2.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

EPSS

Процентиль: 85%

0.02459

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

Связанные уязвимости

CVE-2021-22880

CVSS3: 7.5

ubuntu

почти 5 лет назад

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

CVE-2021-22880

CVSS3: 7.5

redhat

почти 5 лет назад

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

CVE-2021-22880

CVSS3: 7.5

debian

почти 5 лет назад

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4 ...

openSUSE-SU-2021:3634-1

suse-cvrf

около 4 лет назад

Security update for rubygem-activerecord-5_1

openSUSE-SU-2021:1468-1

suse-cvrf

около 4 лет назад

Security update for rubygem-activerecord-5_1

EPSS

Процентиль: 85%

0.02459

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400