CVE-2021-33621
Published: 18 November 2022
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Priority
CVSS 3 base score: 8.8
Status
Package | Release | Status |
---|---|---|
jruby Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(out of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(out of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
|
|
xenial |
Released
(2.3.1-2~ubuntu16.04.16+esm4)
|
|
Patches: upstream: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (0.3.5) upstream: https://github.com/ruby/cgi/commit/30107a4797f14227568913499a9a0bb4285de63b (0.3.5) upstream: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (0.3.5) upstream: https://github.com/ruby/cgi/commit/35317005f853112295de8b8bd99643e66dff4e33 (0.2.2) upstream: https://github.com/ruby/cgi/commit/3b5db783557a18150a06776b4af07ef658afb7f5 (0.2.2) upstream: https://github.com/ruby/cgi/commit/245b3f7e7446aa0bbd0ab09bf8a8bbc9e098f3ff (0.2.2) upstream: https://github.com/ruby/cgi/commit/85e22c30b4e410d1dc57f21160cc24b236b8cdc6 (1.0.2) upstream: https://github.com/ruby/cgi/commit/5f569ecdb45dc5418f0fd3d1378ba1bde5107ea5 (1.0.2) upstream: https://github.com/ruby/cgi/commit/107a0c67f922044dc78e2fde94f991206267a6a0 (1.0.2) |
||
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.13)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby3.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Released
(3.0.2-7ubuntu2.3)
|
|
kinetic |
Released
(3.0.4-7ubuntu0.1)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
ruby3.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621
- https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
- https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708
- https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819
- https://ubuntu.com/security/notices/USN-5806-1
- https://ubuntu.com/security/notices/USN-5806-2
- NVD
- Launchpad
- Debian