CVE-2021-33621: HTTP response splitting in CGI
-
We have released the cgi gem version 0.3.5, 0.2.2, and 0.1.0.2 that has a security fix for a HTTP response splitting vulnerability. This vulnerability has been assigned the CVE identifier CVE-2021-33621.
Details
If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.
Also, the contents for a
CGI::Cookie
object were not checked properly. If an application creates aCGI::Cookie
object based on user input, an attacker may exploit it to inject invalid attributes inSet-Cookie
header. We think such applications are unlikely, but we have included a change to check arguments forCGI::Cookie#initialize
preventatively.Please update the cgi gem to version 0.3.5, 0.2.2, and 0.1.0.2, or later. You can use
gem update cgi
to update it. If you are using bundler, please addgem "cgi", ">= 0.3.5"
to yourGemfile
.Affected versions
- cgi gem 0.3.3 or before
- cgi gem 0.2.1 or before
- cgi gem 0.1.1 or 0.1.0.1 or 0.1.0
Credits
Thanks to Hiroshi Tokumaru for discovering this issue.
History
- Originally published at 2022-11-22 02:00:00 (UTC)
Posted by mame on 22 Nov 2022
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
© Lightnetics 2024