FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

Affected packages
2.6.0,1 <= ruby < 2.6.9,1
2.7.0,1 <= ruby < 2.7.5,1
3.0.0,1 <= ruby < 3.0.3,1
2.6.0,1 <= ruby26 < 2.6.9,1
2.7.0,1 <= ruby27 < 2.7.5,1
3.0.0,1 <= ruby30 < 3.0.3,1
rubygem-cgi < 0.3.1

Details

VuXML ID 4548ec97-4d38-11ec-a539-0800270512f4
Discovery 2021-11-24
Entry 2021-11-24

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

References

CVE Name CVE-2021-41819
URL https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/