CVE-2021-22880
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
El adaptador PostgreSQL en Active Record versiones anteriores a 6.1.2.1, 6.0.3.5, 5.2.4.5, sufre una vulnerabilidad de denegación de servicio de expresión regular (REDoS). Una entrada cuidadosamente diseñada puede causar que la comprobación de la entrada en el tipo "money" del adaptador de PostgreSQL en Active Record pase demasiado tiempo en una expresión regular, resultando en la posibilidad de un ataque DoS. Esto solo afecta a las aplicaciones Rails que usan PostgreSQL junto con las columnas de tipo money que toman la entrada del usuario
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-06 CVE Reserved
- 2021-02-11 CVE Published
- 2023-10-30 First Exploit
- 2024-01-04 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20210805-0009 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/halkichi0308/CVE-2021-22880 | 2023-10-30 | |
https://hackerone.com/reports/1023899 | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 4.2.0 < 5.2.4.5 Search vendor "Rubyonrails" for product "Rails" and version " >= 4.2.0 < 5.2.4.5" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 6.0.0 < 6.0.3.5 Search vendor "Rubyonrails" for product "Rails" and version " >= 6.0.0 < 6.0.3.5" | - |
Affected
| ||||||
Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 6.1.0 < 6.1.2.1 Search vendor "Rubyonrails" for product "Rails" and version " >= 6.1.0 < 6.1.2.1" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
|