There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5
Carefully crafted input can cause the input validation in the “money” type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.
This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.
In the case a patch can’t be applied, the following monkey patch can be used
in an initializer:
module ActiveRecord
module ConnectionAdapters
module PostgreSQL
module OID # :nodoc:
class Money < Type::Decimal # :nodoc:
def cast_value(value)
return value unless ::String === value
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
super(value)
end
end
end
end
end
end
CPE | Name | Operator | Version |
---|---|---|---|
activerecord | lt | 4.2.0 | |
activerecord | le | 5.2.4.4 | |
activerecord | ge | 5.2.5.0 | |
activerecord | le | 6.0.3.4 | |
activerecord | ge | 6.0.4.0 | |
activerecord | lt | 6.1.2.1 |