HTTP Response Splitting Vulnerability in Ruby CGI Gem
CVE-2021-33621

8.8HIGH

Key Information:

Vendor

Ruby-lang

Status
Cgi
Vendor
CVE Published:
18 November 2022

What is CVE-2021-33621?

The Ruby cgi gem is susceptible to an HTTP response splitting vulnerability due to improper handling of user-supplied input. This flaw can be exploited by attackers to manipulate HTTP responses sent by applications, compromising application integrity. Specifically, untrusted input used in generating HTTP responses or creating CGI::Cookie objects can lead to unexpected behaviors, such as cookie injections or web cache poisoning. Developers using affected versions of the cgi gem are advised to upgrade to secure versions to mitigate risks associated with this vulnerability.

References

https://www.ruby-lang.org/en/news/2022/11/22/http-respons...
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.