Lucene search
RubySecRUBY:RUBY-2021-33621HistoryNov 21, 2022 - 9:00 p.m.
HTTP response splitting in CGI
2022-11-2121:00:00
RubySec
www.ruby-lang.org
34
http response splitting
cgi
gem
untrusted user input
attacker
exploit
http response header
body
cgi::cookie object
set-cookie header
attributes
vulnerability
software
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.
Affected configurations
Node
rubyrubyRange2.7.0–2.7.7
ORrubyrubyRange3.0.0–3.0.5
ORrubyrubyRange≤3.1.3
Related
openvas
openvas
Fedora: Security Advisory for ruby (FEDORA-2022-ef96a58bbe)
2022-12-08 00:00:00
Fedora: Security Advisory for ruby (FEDORA-2022-f0f6c6bec2)
2022-12-09 00:00:00
Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2023-1458)
2023-03-09 00:00:00
nessus
nessus
EulerOS 2.0 SP9 : ruby (EulerOS-SA-2023-1483)
2023-03-09 00:00:00
Slackware Linux 15.0 / current ruby Vulnerability (SSA:2022-328-01)
2022-11-25 00:00:00
Photon OS 5.0: Ruby PHSA-2024-5.0-0221
2024-07-24 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: ruby-3.0.5-155.fc35
2022-12-09 00:49:28
[SECURITY] Fedora 36 Update: ruby-3.1.3-172.fc36
2022-12-08 01:56:31
[SECURITY] Fedora 37 Update: ruby-3.1.3-172.fc37
2022-12-08 02:06:38
osv
osv
ruby2.3 vulnerability
2023-01-17 15:59:06
BIT-ruby-2021-33621
2024-03-06 11:05:00
libruby3_1-3_1-3.1.3-1.1 on GA media
2024-06-15 00:00:00
ubuntu
ubuntu
Ruby vulnerability
2023-03-20 00:00:00
Ruby vulnerability
2023-01-23 00:00:00
Ruby vulnerability
2023-01-17 00:00:00
cve
cve
CVE-2021-33621
2022-11-18 23:15:18
debiancve
debiancve
CVE-2021-33621
2022-11-18 23:15:18
hackerone
hackerone
Internet Bug Bounty: Security Unfavorable Specifications and Implementations in the CGI::Cookie Class
2023-03-01 08:03:28
Ruby: CGI::Cookieクラスにおけるセキュリティ上好ましくない仕様および実装
2021-05-21 12:21:26
nvd
nvd
CVE-2021-33621
2022-11-18 23:15:18
amazon
amazon
Important: ruby
2024-03-13 20:26:00
cloudfoundry
cloudfoundry
USN-5806-2: Ruby vulnerability | Cloud Foundry
2023-02-24 00:00:00
mageia
mageia
Updated ruby packages fix security vulnerability
2022-12-14 01:09:19
redhat
redhat
(RHSA-2024:4542) Moderate: ruby security update
2024-07-15 15:44:19
github
github
HTTP response splitting in CGI
2022-11-19 00:30:55
rubygems
rubygems
HTTP response splitting in CGI
2022-11-17 21:00:00
redos
redos
ROS-20240827-04
2024-08-27 00:00:00
ubuntucve
ubuntucve
CVE-2021-33621
2022-11-18 00:00:00
cgr
cgr
CVE-2021-33621 vulnerabilities
2024-05-19 03:07:16
prion
prion
Design/Logic Flaw
2022-11-18 23:15:00
alpinelinux
alpinelinux
CVE-2021-33621
2022-11-18 23:15:18
slackware
slackware
[slackware-security] ruby
2022-11-24 21:00:38
veracode
veracode
HTTP Response Splitting
2022-12-07 11:55:45
freebsd
freebsd
rubygem-cgi -- HTTP response splitting vulnerability
2022-11-22 00:00:00
cvelist
cvelist
CVE-2021-33621
2022-11-18 00:00:00
redhatcve
redhatcve
CVE-2021-33621
2022-11-30 16:56:14
wolfi
wolfi
CVE-2021-33621 vulnerabilities
2024-09-30 09:32:54
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0221
2024-03-04 00:00:00
Important Photon OS Security Update - PHSA-2024-4.0-0562
2024-02-08 00:00:00
Important Photon OS Security Update - PHSA-2024-3.0-0732
2024-02-29 00:00:00
debian
debian
[SECURITY] [DLA 3450-1] ruby2.5 security update
2023-06-09 10:23:43
[SECURITY] [DLA 3858-1] ruby2.7 security update
2024-09-02 12:46:22
oraclelinux
oraclelinux
ruby:2.7 security, bug fix, and enhancement update
2023-07-08 00:00:00
ruby:3.1 security, bug fix, and enhancement update
2024-03-20 00:00:00
ruby:3.1 security, bug fix, and enhancement update
2024-04-02 00:00:00
rocky
rocky
ruby:2.7 security, bug fix, and enhancement update
2023-08-31 16:54:34
ruby:3.1 security, bug fix, and enhancement update
2024-03-27 04:34:32
ruby:3.1 security, bug fix, and enhancement update
2024-04-05 14:57:12
almalinux
almalinux
Moderate: ruby:2.7 security, bug fix, and enhancement update
2023-06-27 00:00:00
Moderate: ruby:3.1 security, bug fix, and enhancement update
2024-03-19 00:00:00
Moderate: ruby:3.1 security, bug fix, and enhancement update
2024-04-01 00:00:00
ibm
ibm
gentoo
gentoo
Ruby: Multiple vulnerabilities
2024-01-24 00:00:00
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Related for RUBY:RUBY-2021-33621