Cookie Name Handling Flaw in Ruby and CGI Gem
CVE-2021-41819

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Ruby; Cgi
Vendor: CVE Published:; 1 January 2022

What is CVE-2021-41819?

The CGI::Cookie.parse method in Ruby prior to version 2.6.8 has a weakness in how it processes security prefixes in cookie names. This vulnerability can result in incorrect handling of cookies, potentially allowing unauthorized access to sensitive data. Applications utilizing the CGI gem version 0.3.0 or earlier are also affected, making it essential for developers to review their cookie parsing mechanisms and implement necessary updates to mitigate the risk of cookie spoofing attacks.

References

https://hackerone.com/reports/910552

https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefi...

https://security.netapp.com/advisory/ntap-20220121-0003/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 1, 2022
Vulnerability Reserved
Sep 29, 2021

Ruby-lang

What is CVE-2021-41819?

References

CVSS V3.1

Timeline