Bug 2026757 (CVE-2021-41819)

Summary: CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, hhorak, jaruga, joe, jorton, jprokop, jwong, kaycoth, kyoshida, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vmugicag, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cgi 0.3.1, cgi 0.2.1, cgi 0.1.1, ruby 3.0.3, ruby 2.7.5, ruby 2.6.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ruby. RubyGems cgi gem could allow a remote attacker to conduct spoofing attacks caused by the mishandling of security prefixes in cookie names in the CGI::Cookie.parse function. By sending a specially-crafted request, an attacker could perform cookie prefix spoofing attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-03 01:50:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2026758, 2026759, 2026760, 2026761, 2026762, 2026763, 2028512, 2028513, 2028514, 2028515, 2028516, 2028517, 2028518, 2030657, 2030658, 2053066, 2053067, 2053068, 2053069, 2057449, 2100523, 2109426, 2122989, 2123022, 2128625, 2128632    
Bug Blocks: 2026764    

Description Guilherme de Almeida Suckevicz 2021-11-25 18:12:57 UTC 
The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184.

Reference:
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Comment 1 Guilherme de Almeida Suckevicz 2021-11-25 18:13:41 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026759]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 2026762]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 2026761]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026758]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2026763]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026760]
Comment 2 Garrett Tucker 2021-12-02 14:39:24 UTC 
The decoding attack present in this flaw is present in all shipped versions of RHEL 6 - 9 and RHSCL. This flaw was present due to URL decoding being applied to cookie names. This provided the ability for an attacker to exploit this decoding to spoof security prefixes which could allow some applications to be fooled by the spoofed security prefixes.
Comment 5 errata-xmlrpc 2022-02-16 11:34:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
Comment 6 errata-xmlrpc 2022-02-16 11:35:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
Comment 7 errata-xmlrpc 2022-02-21 10:11:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
Comment 8 errata-xmlrpc 2022-02-21 10:12:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
Comment 9 errata-xmlrpc 2022-02-28 18:56:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708
Comment 10 Product Security DevOps Team 2022-03-03 01:50:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41819
Comment 11 Jun Aruga 2022-06-24 15:53:52 UTC 
I updated the "Fixed In Version" field based on the upstream info below.
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Comment 16 errata-xmlrpc 2022-08-01 12:11:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779
Comment 18 errata-xmlrpc 2022-09-13 09:43:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447
Comment 19 errata-xmlrpc 2022-09-13 09:45:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450
Comment 20 errata-xmlrpc 2022-10-11 07:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855
Comment 21 errata-xmlrpc 2022-10-11 07:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856