-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2022-44566.yml
35 lines (29 loc) · 1.08 KB
/
CVE-2022-44566.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
gem: activerecord
framework: rails
cve: 2022-44566
ghsa: 579w-22j4-4749
url: https://github.com/rails/rails/releases/tag/v7.0.4.1
title: Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
date: 2023-01-18
description: |
There is a potential denial of service vulnerability present in
ActiveRecord’s PostgreSQL adapter.
This has been assigned the CVE identifier CVE-2022-44566.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.1.7.1, 7.0.4.1
# Impact
In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a
64bit signed integer is provided to the PostgreSQL connection adapter, it
will treat the target column type as numeric. Comparing integer values
against numeric values can result in a slow sequential scan resulting in
potential Denial of Service.
# Workarounds
Ensure that user supplied input which is provided to ActiveRecord clauses do
not contain integers wider than a signed 64bit representation or floats.
cvss_v3: 7.5
patched_versions:
- "~> 5.2.8"
- "~> 6.1.7, >= 6.1.7.1"
- ">= 7.0.4.1"