CVE-2021-33621
Published: 18 November 2022
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Priority
Status
Package | Release | Status |
---|---|---|
jruby Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
|
|
xenial |
Released
(2.3.1-2~ubuntu16.04.16+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 upstream: https://github.com/ruby/cgi/commit/30107a4797f14227568913499a9a0bb4285de63b upstream: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 upstream: https://github.com/ruby/cgi/commit/35317005f853112295de8b8bd99643e66dff4e33 upstream: https://github.com/ruby/cgi/commit/3b5db783557a18150a06776b4af07ef658afb7f5 upstream: https://github.com/ruby/cgi/commit/245b3f7e7446aa0bbd0ab09bf8a8bbc9e098f3ff upstream: https://github.com/ruby/cgi/commit/85e22c30b4e410d1dc57f21160cc24b236b8cdc6 upstream: https://github.com/ruby/cgi/commit/5f569ecdb45dc5418f0fd3d1378ba1bde5107ea5 upstream: https://github.com/ruby/cgi/commit/107a0c67f922044dc78e2fde94f991206267a6a0 |
||
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.13)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Released
(2.7.0-5ubuntu1.8)
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby3.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Released
(3.0.2-7ubuntu2.3)
|
|
kinetic |
Released
(3.0.4-7ubuntu0.1)
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby3.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Released
(3.1.2-2ubuntu0.22.10.1)
|
|
lunar |
Not vulnerable
(3.1.2-6)
|
|
mantic |
Not vulnerable
(3.1.2-6)
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.1.2-4)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
- https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708
- https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819
- https://ubuntu.com/security/notices/USN-5806-1
- https://ubuntu.com/security/notices/USN-5806-2
- https://ubuntu.com/security/notices/USN-5806-3
- https://ubuntu.com/security/notices/USN-6181-1
- https://www.cve.org/CVERecord?id=CVE-2021-33621
- NVD
- Launchpad
- Debian