Bug 2149706 (CVE-2021-33621) - CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI
Summary: CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI
Keywords:
Status: NEW
Alias: CVE-2021-33621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2151264 2151265 2149707 2149708 2149709 2149710 2151262 2151263 2151266 2151267 2151268 2151269
Blocks: 2149712
TreeView+ depends on / blocked
 
Reported: 2022-11-30 16:50 UTC by Pedro Sampaio
Modified: 2022-12-09 04:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-11-30 16:50:15 UTC 
cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

References:
https://www.ruby-lang.org/en/security/
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2
Comment 1 Pedro Sampaio 2022-11-30 16:50:57 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149707]
Affects: fedora-36 [bug 2149710]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149708]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149709]
Comment 2 Jun Aruga 2022-12-01 14:24:57 UTC 
Note that this CVE is fixed in Ruby to 3.1.3, 3.0.5 or 2.7.7.
https://www.ruby-lang.org/en/news/2022/11/24/ruby-3-1-3-released/
https://www.ruby-lang.org/en/news/2022/11/24/ruby-3-0-5-released/
https://www.ruby-lang.org/en/news/2022/11/24/ruby-2-7-7-released/
Note You need to log in before you can comment on or make changes to this bug.