2149706 – (CVE-2021-33621) CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI

Bug 2149706 (CVE-2021-33621) - CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI

Summary: CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-33621
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2149707 2149708 2149709 2149710 2151262 2151263 2151264 2151265 2151266 2151267 2151268 2151269 2189468
Blocks:	2149712
TreeView+	depends on / blocked

Reported:	2022-11-30 16:50 UTC by Pedro Sampaio
Modified:	2024-07-15 16:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
Clone Of:
Environment:
Last Closed:	2023-06-27 19:29:01 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2024:3540	None	None	None	2024-06-03 01:16:38 UTC
Red Hat Product Errata	RHBA-2024:3996	None	None	None	2024-06-20 01:56:01 UTC
Red Hat Product Errata	RHSA-2023:3291	None	None	None	2023-05-24 08:55:57 UTC
Red Hat Product Errata	RHSA-2023:3821	None	None	None	2023-06-27 14:57:54 UTC
Red Hat Product Errata	RHSA-2023:7025	None	None	None	2023-11-14 15:18:47 UTC
Red Hat Product Errata	RHSA-2024:1431	None	None	None	2024-03-19 18:37:50 UTC
Red Hat Product Errata	RHSA-2024:1576	None	None	None	2024-04-01 01:16:38 UTC
Red Hat Product Errata	RHSA-2024:3500	None	None	None	2024-05-30 13:12:37 UTC
Red Hat Product Errata	RHSA-2024:3838	None	None	None	2024-06-11 19:42:22 UTC
Red Hat Product Errata	RHSA-2024:4542	None	None	None	2024-07-15 16:15:43 UTC

Description Pedro Sampaio 2022-11-30 16:50:15 UTC

cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

References:
https://www.ruby-lang.org/en/security/
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2

Comment 1 Pedro Sampaio 2022-11-30 16:50:57 UTC

Created ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149707]
Affects: fedora-36 [bug 2149710]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149708]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149709]

Comment 2 Jun Aruga 2022-12-01 14:24:57 UTC

Note that this CVE is fixed in Ruby to 3.1.3, 3.0.5 or 2.7.7.
https://www.ruby-lang.org/en/news/2022/11/24/ruby-3-1-3-released/
https://www.ruby-lang.org/en/news/2022/11/24/ruby-3-0-5-released/
https://www.ruby-lang.org/en/news/2022/11/24/ruby-2-7-7-released/

Comment 6 errata-xmlrpc 2023-05-24 08:55:55 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:3291 https://access.redhat.com/errata/RHSA-2023:3291

Comment 7 errata-xmlrpc 2023-06-27 14:57:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3821 https://access.redhat.com/errata/RHSA-2023:3821

Comment 8 Product Security DevOps Team 2023-06-27 19:28:59 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33621

Comment 9 errata-xmlrpc 2023-11-14 15:18:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7025 https://access.redhat.com/errata/RHSA-2023:7025

Comment 10 errata-xmlrpc 2024-03-19 18:37:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1431 https://access.redhat.com/errata/RHSA-2024:1431

Comment 11 errata-xmlrpc 2024-04-01 01:16:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1576 https://access.redhat.com/errata/RHSA-2024:1576

Comment 13 errata-xmlrpc 2024-05-30 13:12:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3500 https://access.redhat.com/errata/RHSA-2024:3500

Comment 14 errata-xmlrpc 2024-06-11 19:42:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3838 https://access.redhat.com/errata/RHSA-2024:3838

Comment 15 errata-xmlrpc 2024-07-15 16:15:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4542 https://access.redhat.com/errata/RHSA-2024:4542

Note You need to log in before you can comment on or make changes to this bug.