CVE-2021-22880

Description

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

How to fix CVE-2021-22880

To remediate CVE-2021-22880, upgrade the affected package to a fixed version below.

• —upgrade to 2:6.0.3.5+dfsg-1 or later
• —upgrade to 2:5.2.2.1+dfsg-1+deb10u3 or later
• —upgrade to 5.2.4.5 or later

Is CVE-2021-22880 being exploited?

Low — EPSS is 2.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2:6.0.3.5+dfsg-1
• from 0, < 2:5.2.2.1+dfsg-1+deb10u3
• >= 5.0.0, < 5.2.4.5

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22880
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-22880
• WEBdiscuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
• WEBgithub.com/rails/rails