CVE-2021-33621
published 2022-11-18CVE-2021-33621: The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.29%
81.0th percentile
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u2 (bullseye) | ruby2.7 2.7.4-1+deb11u2 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u2 (bullseye) | ruby2.7 2.7.4-1+deb11u2 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| ruby-lang | cgi | < 0.1.0.2 | 0.1.0.2 |
| ruby-lang | cgi | >= 0 < 0.1.0.2 | 0.1.0.2 |
| ruby-lang | cgi | >= 0.2.0 < 0.2.2 | 0.2.2 |
| ruby-lang | cgi | >= 0.2.0 < 0.2.2 | 0.2.2 |
| ruby-lang | cgi | >= 0.3.0 < 0.3.5 | 0.3.5 |
| ruby-lang | cgi | >= 0.3.0 < 0.3.5 | 0.3.5 |
| ruby-lang | ruby | >= 2.7.0 < 2.7.7 | 2.7.7 |
| ruby-lang | ruby | >= 3.0.0 < 3.0.5 | 3.0.5 |
| ruby-lang | ruby | >= 3.1.0 < 3.1.3 | 3.1.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2023-06-21·CVSS 8.8
CVE-2023-28755 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications the generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application. This issue
only affected Ubuntu 22.10. (CVE-2021-33621)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755, CVE-2023-28756)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2023-03-20
CVE-2021-33621 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby could allow for internet traffic to be modified if
a vulnerable application processed malicious user input.
USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem
for Ubuntu 20.04 LTS.
Original advisory details:
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications which generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2023-01-23
CVE-2021-33621 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby could allow for internet traffic to be modified if
a vulnerable application processed malicious user input.
USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem
for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.10.
Original advisory details:
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications which generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2023-01-17
CVE-2021-33621 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby could allow for internet traffic to be modified if
a vulnerable application processed malicious user input.
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications the generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby/cgi-gem: HTTP response splitting in CGI
vendor_redhat·2022-11-18·CVSS 8.8
CVE-2021-33621 [HIGH] CWE-113 ruby/cgi-gem: HTTP response splitting in CGI
ruby/cgi-gem: HTTP response splitting in CGI
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
Statement: This vulnerability is marked as moderate because the flaw was more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources under
Debian
CVE-2021-33621: ruby2.7 - The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby ...
vendor_debian·2021·CVSS 8.8
CVE-2021-33621 [HIGH] CVE-2021-33621: ruby2.7 - The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby ...
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u2)
OSV
HTTP response splitting in CGI
osv·2022-11-19
CVE-2021-33621 [HIGH] HTTP response splitting in CGI
HTTP response splitting in CGI
Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.
GHSA
HTTP response splitting in CGI
ghsa·2022-11-19
CVE-2021-33621 [HIGH] CWE-436 HTTP response splitting in CGI
HTTP response splitting in CGI
Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.
OSV
CVE-2021-33621: The cgi gem before 0
osv·2022-11-18·CVSS 8.8
CVE-2021-33621 [HIGH] CVE-2021-33621: The cgi gem before 0
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
No detection rules found.
No public exploits indexed.
HackerOne
Security Unfavorable Specifications and Implementations in the CGI::Cookie Class
hackerone·2023-04-09·CVSS 8.8
CVE-2021-33621 [HIGH] Security Unfavorable Specifications and Implementations in the CGI::Cookie Class
Security Unfavorable Specifications and Implementations in the CGI::Cookie Class
CVE-2021-33621: HTTP response splitting in CGI
Posted by mame on 22 Nov 2022
We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP response splitting vulnerability. This vulnerability has been assigned the CVE identifier CVE-2021-33621.
Details
If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are un
HackerOne
Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information
hackerone·2023-04-09·CVSS 8.8
CVE-2021-33621 [HIGH] Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information
Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information
CVE-2021-33621: HTTP response splitting in CGI
Posted by mame on 22 Nov 2022
We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP response splitting vulnerability. This vulnerability has been assigned the CVE identifier CVE-2021-33621.
Details
If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think
https://lists.debian.org/debian-lts-announce/2023/06/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20221228-0004/https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/https://lists.debian.org/debian-lts-announce/2023/06/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20221228-0004/https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
2022-11-18
Published