github - GHSA-4vf4-qmvg-mh7h

GHSA-4vf4-qmvg-mh7h

Vulnerability from github

Published

2022-01-21 23:22

Modified

2023-08-29 16:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Cookie Prefix Spoofing in CGI::Cookie.parse

Details

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.3.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-13T18:53:26Z",
    "nvd_published_at": "2022-01-01T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.",
  "id": "GHSA-4vf4-qmvg-mh7h",
  "modified": "2023-08-29T16:46:42Z",
  "published": "2022-01-21T23:22:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41819"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/910552"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/cgi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-41819.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-27"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220121-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cookie Prefix Spoofing in CGI::Cookie.parse"
}

The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184. If you are using Ruby 2.7 or 3.0: * Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use `gem update cgi` to update it. If you are using bundler, please add `gem "cgi", ">= 0.3.1"`` to your `Gemfile`. * Alternatively, please update Ruby to 2.7.5 or 3.0.3. If you are using Ruby 2.6: * Please update Ruby to 2.6.9. You cannot use `gem update cgi` for Ruby 2.6 or prior.

Aliases

CVE-2021-41819

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41819",
    "description": "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.",
    "id": "GSD-2021-41819",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-41819.html",
      "https://www.debian.org/security/2022/dsa-5066",
      "https://www.debian.org/security/2022/dsa-5067",
      "https://access.redhat.com/errata/RHSA-2022:0708",
      "https://access.redhat.com/errata/RHSA-2022:0582",
      "https://access.redhat.com/errata/RHSA-2022:0581",
      "https://access.redhat.com/errata/RHSA-2022:0544",
      "https://access.redhat.com/errata/RHSA-2022:0543",
      "https://ubuntu.com/security/CVE-2021-41819",
      "https://advisories.mageia.org/CVE-2021-41819.html",
      "https://security.archlinux.org/CVE-2021-41819",
      "https://linux.oracle.com/cve/CVE-2021-41819.html",
      "https://access.redhat.com/errata/RHSA-2022:5779",
      "https://access.redhat.com/errata/RHSA-2022:6447",
      "https://access.redhat.com/errata/RHSA-2022:6450",
      "https://access.redhat.com/errata/RHSA-2022:6855",
      "https://access.redhat.com/errata/RHSA-2022:6856"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "cgi",
            "purl": "pkg:gem/cgi"
          }
        }
      ],
      "aliases": [
        "CVE-2021-41819",
        "GHSA-4vf4-qmvg-mh7h"
      ],
      "details": "The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names.\nAn attacker could exploit this vulnerability to spoof security prefixes in\ncookie names, which may be able to trick a vulnerable application.\n\nBy this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that\nthis is an incompatibility if cookie names that you are using include\nnon-alphanumeric characters that are URL-encoded.\n\nThis is the same issue of CVE-2020-8184.\n\nIf you are using Ruby 2.7 or 3.0:\n\n* Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You\n  can use `gem update cgi` to update it. If you are using bundler, please add\n  `gem \"cgi\", \"\u003e= 0.3.1\"`` to your `Gemfile`.\n* Alternatively, please update Ruby to 2.7.5 or 3.0.3.\n\nIf you are using Ruby 2.6:\n\n* Please update Ruby to 2.6.9. You cannot use `gem update cgi` for Ruby 2.6 or\n  prior.",
      "id": "GSD-2021-41819",
      "modified": "2021-11-24T00:00:00.000Z",
      "published": "2021-11-24T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
        }
      ],
      "related": [
        "CVE-2020-8184"
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Cookie Prefix Spoofing in CGI::Cookie.parse"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-41819",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/910552",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/910552"
          },
          {
            "name": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/",
            "refsource": "CONFIRM",
            "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20220121-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20220121-0003/"
          },
          {
            "name": "FEDORA-2022-82a9edac27",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "name": "FEDORA-2022-8cf0124add",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "name": "GLSA-202401-27",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202401-27"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-41819",
      "cvss_v3": 7.5,
      "date": "2021-11-24",
      "description": "The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names.\nAn attacker could exploit this vulnerability to spoof security prefixes in\ncookie names, which may be able to trick a vulnerable application.\n\nBy this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that\nthis is an incompatibility if cookie names that you are using include\nnon-alphanumeric characters that are URL-encoded.\n\nThis is the same issue of CVE-2020-8184.\n\nIf you are using Ruby 2.7 or 3.0:\n\n* Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You\n  can use `gem update cgi` to update it. If you are using bundler, please add\n  `gem \"cgi\", \"\u003e= 0.3.1\"`` to your `Gemfile`.\n* Alternatively, please update Ruby to 2.7.5 or 3.0.3.\n\nIf you are using Ruby 2.6:\n\n* Please update Ruby to 2.6.9. You cannot use `gem update cgi` for Ruby 2.6 or\n  prior.",
      "gem": "cgi",
      "ghsa": "4vf4-qmvg-mh7h",
      "patched_versions": [
        "~\u003e 0.1.0.1",
        "~\u003e 0.1.1",
        "~\u003e 0.2.1",
        "\u003e= 0.3.1"
      ],
      "related": {
        "cve": [
          "2020-8184"
        ]
      },
      "title": "Cookie Prefix Spoofing in CGI::Cookie.parse",
      "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.1.0 \u003c=0.3.0",
          "affected_versions": "All versions starting from 0.1.0 up to 0.3.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-565",
            "CWE-937"
          ],
          "date": "2022-09-10",
          "description": "CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby.",
          "fixed_versions": [
            "0.3.1"
          ],
          "identifier": "CVE-2021-41819",
          "identifiers": [
            "CVE-2021-41819"
          ],
          "not_impacted": "All versions before 0.1.0, all versions after 0.3.0",
          "package_slug": "gem/cgi",
          "pubdate": "2022-01-01",
          "solution": "Upgrade to version 0.3.1 or above.",
          "title": "Reliance on Cookies without Validation and Integrity Checking in a Security Decision",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41819",
            "https://hackerone.com/reports/910552",
            "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
          ],
          "uuid": "884c99ae-8baa-4a77-94fe-f0434735f233"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:cgi:0.1.0:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "2DEC113F-FF5D-48DC-896B-E1C8A2C76C9C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:cgi:0.2.0:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "59B7F28D-757D-429F-88B5-7A8DAFB9BB4C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:cgi:0.3.0:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "C8CB09D2-66DD-4E05-B9FC-F1C632C6942F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "64AC442C-39CB-477C-9356-F36AF6762E53",
                    "versionEndIncluding": "2.6.8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D7B53365-0B48-4408-A4A7-9A3744F89F07",
                    "versionEndExcluding": "2.7.5",
                    "versionStartIncluding": "2.7.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D4499575-33A0-47D7-A88B-0E6FD2340792",
                    "versionEndExcluding": "3.0.3",
                    "versionStartIncluding": "3.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:suse:linux_enterprise:11.0:sp1:*:*:*:*:*:*",
                    "matchCriteriaId": "4500161F-13A0-4369-B93A-778B34E7F005",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1607628F-77A7-4C1F-98DF-0DC50AE8627D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E29492E1-43D8-43BF-94E3-26A762A66FAA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby."
          },
          {
            "lang": "es",
            "value": "CGI::Cookie.parse en Ruby versiones hasta 2.6.8, maneja inapropiadamente los prefijos de seguridad en los nombres de las cookies. Esto tambi\u00e9n afecta a CGI gem versiones hasta 0.3.0 para Ruby."
          }
        ],
        "id": "CVE-2021-41819",
        "lastModified": "2024-01-24T05:15:11.853",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-01-01T06:15:07.293",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Permissions Required",
              "Third Party Advisory"
            ],
            "url": "https://hackerone.com/reports/910552"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://security.gentoo.org/glsa/202401-27"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0003/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-565"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

cve-2021-41819

Vulnerability from cvelistv5

Published

2022-01-01 00:00

Modified

2024-08-04 03:22

Severity ?

Summary

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

References

▼	URL	Tags
	https://hackerone.com/reports/910552
	https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
	https://security.netapp.com/advisory/ntap-20220121-0003/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/	vendor-advisory
	https://security.gentoo.org/glsa/202401-27	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:22:24.942Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/910552"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0003/"
          },
          {
            "name": "FEDORA-2022-82a9edac27",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "name": "FEDORA-2022-8cf0124add",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "name": "GLSA-202401-27",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-27"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-24T05:06:40.201990",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/910552"
        },
        {
          "url": "https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220121-0003/"
        },
        {
          "name": "FEDORA-2022-82a9edac27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
        },
        {
          "name": "FEDORA-2022-8cf0124add",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
        },
        {
          "name": "GLSA-202401-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-27"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-41819",
    "datePublished": "2022-01-01T00:00:00",
    "dateReserved": "2021-09-29T00:00:00",
    "dateUpdated": "2024-08-04T03:22:24.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

GHSA-4vf4-qmvg-mh7h

Vulnerability from github

gsd-2021-41819

Vulnerability from gsd

cve-2021-41819

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature