NVD Vulnerability Detail

CVE-2021-22880

Summary	The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Publication Date	Feb. 12, 2021, 3:15 a.m.
Registration Date	Feb. 12, 2021, 10:02 a.m.
Last Update	Nov. 21, 2024, 2:50 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129	Mitigation Patch Vendor Advisory
2	https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129	Mitigation Patch Vendor Advisory
3	https://hackerone.com/reports/1023899	Exploit Patch Third Party Advisory
4	https://hackerone.com/reports/1023899	Exploit Patch Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
9	https://security.netapp.com/advisory/ntap-20210805-0009/	Third Party Advisory
10	https://security.netapp.com/advisory/ntap-20210805-0009/	Third Party Advisory
11	https://www.debian.org/security/2021/dsa-4929	Third Party Advisory
12	https://www.debian.org/security/2021/dsa-4929	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-400	リソースの枯渇	https://cwe.mitre.org/data/definitions/400.html

JVN Vulnerability Information

Active Record におけるリソースの枯渇に関する脆弱性

Title	Active Record におけるリソースの枯渇に関する脆弱性
Summary	Active Record には、リソースの枯渇に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 10, 2021, midnight
Registration Date	Nov. 4, 2021, 3:05 p.m.
Last Update	Nov. 4, 2021, 3:05 p.m.

Affected System

Fedora Project

Fedora

Ruby on Rails project

Rails 5.2.4.5 未満

Rails 6.0.3.5 未満

Rails 6.1.2.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-22880	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
National Vulnerability Database (NVD)
2	CVE-2021-22880	https://nvd.nist.gov/vuln/detail/CVE-2021-22880

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-400	https://cwe.mitre.org/data/definitions/400.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-b571fca1b8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
2	FEDORA-2021-def0e32233	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
Rails weblog
3	[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter	https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129

その他

No	Name	URL
関連文書
1	Regular expression denial of service in ActiveRecord's Postgre SQL Money type	https://hackerone.com/reports/1023899

Change Log

No	Changed Details	Date of change
1	[2021年11月04日] 掲載	Nov. 4, 2021, 3:05 p.m.