CVE-2021-22880

Name	CVE-2021-22880
Description	The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4929-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
rails (PTS)	jessie, jessie (lts)	2:4.1.8-1+deb8u9	fixed
	stretch (security), stretch (lts), stretch	2:4.2.7.1-1+deb9u5	fixed
	buster (security), buster, buster (lts)	2:5.2.2.1+dfsg-1+deb10u5	fixed
	bullseye (security), bullseye	2:6.0.3.7+dfsg-2+deb11u2	fixed
	bookworm	2:6.1.7.3+dfsg-2~deb12u1	fixed
	sid, trixie	2:6.1.7.3+dfsg-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
rails	source	jessie	(not affected)
rails	source	stretch	(not affected)
rails	source	buster	2:5.2.2.1+dfsg-1+deb10u3	DSA-4929-1
rails	source	(unstable)	2:6.0.3.5+dfsg-1

Notes

[stretch] - rails <not-affected> (Vulnerable asterisk in regex added later)
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
https://hackerone.com/reports/1023899
https://github.com/rails/rails/commit/eddda4d8fb6b6508e11196b14494ceac37b57339 (main)
https://github.com/rails/rails/commit/879d02107b5b3eb7aeaad1cd1f259bb41f17286b (v6.0.3.5)
https://github.com/rails/rails/commit/bf0ef9df1793046241c26b3fb92fac551d1628b4 (5.2-stable)
[jessie] - rails <not-affected> (money.rb added later, original code in oid.rb with regex plus, not asterisk)