Your submission was sent successfully! Close

CVE-2021-41816

Published: 2 December 2021

CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
ruby2.3
Launchpad, Ubuntu, Debian
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Not vulnerable

ruby2.5
Launchpad, Ubuntu, Debian
bionic Not vulnerable

trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
ruby2.7
Launchpad, Ubuntu, Debian
focal
Released (2.7.0-5ubuntu1.6)
hirsute
Released (2.7.2-4ubuntu1.3)
impish
Released (2.7.4-1ubuntu3.1)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
ruby3.0
Launchpad, Ubuntu, Debian
jammy
Released (3.0.2-7ubuntu2)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)