RubySec

Providing security resources for the Ruby community

CVE-2022-44566 (activerecord): Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter

ADVISORIES

GEM

activerecord

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • ~> 5.2.8, >= 5.2.8.15
  • ~> 6.1.7, >= 6.1.7.1
  • >= 7.0.4.1

DESCRIPTION

There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories