GMS-2023-59: Duplicate of ./gem/activerecord/CVE-2022-44566.yml

January 18, 2023

There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter. In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

References

github.com/advisories/GHSA-579w-22j4-4749
github.com/rails/rails/releases/tag/v7.0.4.1

Detect and mitigate GMS-2023-59 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →