Hide Forgot
The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184. Reference: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 2026759] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 2026762] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-34 [bug 2026761] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026758] Created ruby:3.0/ruby tracking bugs for this issue: Affects: fedora-35 [bug 2026763] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 2026760]
The decoding attack present in this flaw is present in all shipped versions of RHEL 6 - 9 and RHSCL. This flaw was present due to URL decoding being applied to cookie names. This provided the ability for an attacker to exploit this decoding to spoof security prefixes which could allow some applications to be fooled by the spoofed security prefixes.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41819
I updated the "Fixed In Version" field based on the upstream info below. https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856