CVE-2021-33621
Published: 18 November 2022
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Priority
Medium
CVSS 3 base score: 8.8
Status
| Package | Release | Status |
|---|---|---|
|
jruby Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
|
|
| xenial |
Released
(2.3.1-2~ubuntu16.04.16+esm4)
|
|
|
Patches: upstream: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (0.3.5) upstream: https://github.com/ruby/cgi/commit/30107a4797f14227568913499a9a0bb4285de63b (0.3.5) upstream: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (0.3.5) upstream: https://github.com/ruby/cgi/commit/35317005f853112295de8b8bd99643e66dff4e33 (0.2.2) upstream: https://github.com/ruby/cgi/commit/3b5db783557a18150a06776b4af07ef658afb7f5 (0.2.2) upstream: https://github.com/ruby/cgi/commit/245b3f7e7446aa0bbd0ab09bf8a8bbc9e098f3ff (0.2.2) upstream: https://github.com/ruby/cgi/commit/85e22c30b4e410d1dc57f21160cc24b236b8cdc6 (1.0.2) upstream: https://github.com/ruby/cgi/commit/5f569ecdb45dc5418f0fd3d1378ba1bde5107ea5 (1.0.2) upstream: https://github.com/ruby/cgi/commit/107a0c67f922044dc78e2fde94f991206267a6a0 (1.0.2) |
||
|
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.13)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby3.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(3.0.2-7ubuntu2.3)
|
|
| kinetic |
Released
(3.0.4-7ubuntu0.1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby3.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621
- https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
- https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708
- https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819
- https://ubuntu.com/security/notices/USN-5806-1
- https://ubuntu.com/security/notices/USN-5806-2
- NVD
- Launchpad
- Debian