-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-22880.yml
62 lines (55 loc) · 1.74 KB
/
CVE-2021-22880.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
gem: activerecord
framework: rails
cve: 2021-22880
ghsa: 8hc4-xxm3-5ppp
url: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
date: 2021-02-10
description: |
There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5
Impact
------
Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.
This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.
Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:
```
module ActiveRecord
module ConnectionAdapters
module PostgreSQL
module OID # :nodoc:
class Money < Type::Decimal # :nodoc:
def cast_value(value)
return value unless ::String === value
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
super(value)
end
end
end
end
end
end
```
cvss_v3: 5.3
unaffected_versions:
- "< 4.2.0"
patched_versions:
- "~> 5.2.4, >= 5.2.4.5"
- "~> 6.0.3, >= 6.0.3.5"
- ">= 6.1.2.1"