The old versions of CGI::Cookie.parse
applied URL decoding to cookie names.
An attacker could exploit this vulnerability to spoof security prefixes in
cookie names, which may be able to trick a vulnerable application.
By this fix, CGI::Cookie.parse
no longer decodes cookie names. Note that
this is an incompatibility if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
This is the same issue of CVE-2020-8184.
If you are using Ruby 2.7 or 3.0:
gem update cgi
to update it. If you are using bundler, please addgem "cgi", ">= 0.3.1"`` to your
Gemfile`.If you are using Ruby 2.6:
gem update cgi
for Ruby 2.6 or