FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-cgi -- HTTP response splitting vulnerability

Affected packages
rubygem-cgi < 0.3.4
2.7.0,1 <= ruby < 2.7.7,1
3.0.0,1 <= ruby < 3.0.5,1
3.1.0,1 <= ruby < 3.1.3,1
3.2.0.p1,1 <= ruby < 3.2.0.r1,1
2.7.0,1 <= ruby27 < 2.7.7,1
3.0.0,1 <= ruby30 < 3.0.5,1
3.1.0,1 <= ruby31 < 3.1.3,1
3.2.0.p1,1 <= ruby32 < 3.2.0.r1,1

Details

VuXML ID 84ab03b6-6c20-11ed-b519-080027f5fec9
Discovery 2022-11-22
Entry 2022-11-24

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

References

CVE Name CVE-2021-33621
URL https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/