CVE-2022-44566

Name of the Vulnerable Software and Affected Versions ActiveRecord versions prior to 6.1.7.1 ActiveRecord versions prior to 7.0.4.1

Description A denial of service issue is present in ActiveRecord's PostgreSQL adapter. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan, potentially leading to a denial of service. The issue is related to insufficient input validation in the PostgreSQL adapter.

Recommendations For versions prior to 6.1.7.1, update to version 6.1.7.1 or apply the patch 6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch. For versions prior to 7.0.4.1, update to version 7.0.4.1 or apply the patch 7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch. As a temporary workaround, ensure that user-supplied input provided to ActiveRecord clauses does not contain integers wider than a signed 64bit representation or floats.