Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-33621

Published: 18 November 2022

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Priority

Medium

Cvss 3 Severity Score

8.8

Score breakdown

Status

Package Release Status
jruby
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal Needs triage

jammy Does not exist

kinetic Does not exist

lunar Ignored
(end of life, was needs-triage)
mantic Needs triage

noble Needs triage

trusty Needs triage

upstream Needs triage

xenial Needs triage

ruby1.9.1
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Does not exist

ruby2.0
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Does not exist

ruby2.3
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream
Released
xenial
Released (2.3.1-2~ubuntu16.04.16+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708
upstream: https://github.com/ruby/cgi/commit/30107a4797f14227568913499a9a0bb4285de63b
upstream: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819
upstream: https://github.com/ruby/cgi/commit/35317005f853112295de8b8bd99643e66dff4e33
upstream: https://github.com/ruby/cgi/commit/3b5db783557a18150a06776b4af07ef658afb7f5
upstream: https://github.com/ruby/cgi/commit/245b3f7e7446aa0bbd0ab09bf8a8bbc9e098f3ff
upstream: https://github.com/ruby/cgi/commit/85e22c30b4e410d1dc57f21160cc24b236b8cdc6
upstream: https://github.com/ruby/cgi/commit/5f569ecdb45dc5418f0fd3d1378ba1bde5107ea5
upstream: https://github.com/ruby/cgi/commit/107a0c67f922044dc78e2fde94f991206267a6a0
ruby2.5
Launchpad, Ubuntu, Debian 		bionic
Released (2.5.1-1ubuntu1.13)
focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby2.7
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal
Released (2.7.0-5ubuntu1.8)
jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby3.0
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Does not exist

jammy
Released (3.0.2-7ubuntu2.3)
kinetic
Released (3.0.4-7ubuntu0.1)
lunar Does not exist

mantic Does not exist

noble Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

ruby3.1
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic
Released (3.1.2-2ubuntu0.22.10.1)
lunar Not vulnerable
(3.1.2-6)
mantic Not vulnerable
(3.1.2-6)
noble Does not exist

trusty Does not exist

upstream
Released (3.1.2-4)
xenial Does not exist

Severity score breakdown

Parameter Value
Base score 8.8
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading