CVE-2022-44566

2023-02-0920:15:11

CWE-400

[email protected]

web.nvd.nist.gov

103

cve

2022

44566

denial of service

activerecord

postgresql adapter

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.5%

JSON

A denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Affected configurations

NVD

Node

activerecord_projectactiverecordRange<6.1.7.1ruby

activerecord_projectactiverecordRange7.0.0–7.0.4.1ruby

CPENameOperatorVersion
activerecord_project:activerecordactiverecord project activerecordlt6.1.7.1
activerecord_project:activerecordactiverecord project activerecordlt7.0.4.1

CPE	Name	Operator	Version
activerecord_project:activerecord	activerecord project activerecord	lt	6.1.7.1
activerecord_project:activerecord	activerecord project activerecord	lt	7.0.4.1

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/rails/rails",
    "versions": [
      {
        "version": "7.0.4.1, 6.1.7.1",
        "status": "affected"
      }
    ]
  }
]