CVE-2021-33621 — Injection in CGI

CWE-74 — Injection CWE-436 — Interpretation Conflict CWE-113 — HTTP Request/Response Splitting13 documents8 sources

Severity

8.8HIGHNVD

EPSS

1.6%

top 18.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang CGI Ruby-lang Ruby Fedoraproject Fedora

Timeline

PublishedNov 18

Latest updateJun 21

Description

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDruby-lang/cgi0.2.0 — 0.2.2+2

▶RubyGemsruby-lang/cgi0.3.0 — 0.3.5+2

▶NVDruby-lang/ruby2.7.0 — 2.7.7+2

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

OSV

HTTP response splitting in CGI↗2022-11-19

▶

GHSA

HTTP response splitting in CGI↗2022-11-19

▶

CVEList

CVE-2021-33621: The cgi gem before 0↗2022-11-18

▶

OSV

CVE-2021-33621: The cgi gem before 0↗2022-11-18

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2023-06-21

▶

Ubuntu

Ruby vulnerability↗2023-03-20

▶

Ubuntu

Ruby vulnerability↗2023-01-23

▶

Ubuntu

Ruby vulnerability↗2023-01-17

▶

Red Hat

ruby/cgi-gem: HTTP response splitting in CGI↗2022-11-18

▶

💬Community

HackerOne

Security Unfavorable Specifications and Implementations in the CGI::Cookie Class↗2023-04-09

▶

HackerOne

Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information↗2023-04-09

▶