CVE-2022-44566

Published: Feb 9, 2023Modified: Mar 25, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Affected (2)

Products: Activerecord Project: Activerecord

Activerecord Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Activerecord Project Activerecord	Before 6.1.7.1
Activerecord Project Activerecord	From 7.0.0 to 7.0.4.1

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (4)

https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html

Source: support@hackerone.com

ExploitMitigationThird Party Advisory

https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119

Source: support@hackerone.com

PatchVendor Advisory

https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.