Bug 2149706 (CVE-2021-33621) - CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI
Summary: CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2149707 2149708 2149709 2149710 2151262 2151263 2151264 2151265 2151266 2151267 2151268 2151269 2189468
Blocks: 2149712
TreeView+ depends on / blocked
 
Reported: 2022-11-30 16:50 UTC by Pedro Sampaio
Modified: 2024-04-01 01:16 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
Clone Of:
Environment:
Last Closed: 2023-06-27 19:29:01 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3291 0 None None None 2023-05-24 08:55:57 UTC
Red Hat Product Errata RHSA-2023:3821 0 None None None 2023-06-27 14:57:54 UTC
Red Hat Product Errata RHSA-2023:7025 0 None None None 2023-11-14 15:18:47 UTC
Red Hat Product Errata RHSA-2024:1431 0 None None None 2024-03-19 18:37:50 UTC
Red Hat Product Errata RHSA-2024:1576 0 None None None 2024-04-01 01:16:38 UTC

Description Pedro Sampaio 2022-11-30 16:50:15 UTC
cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.

References:
https://www.ruby-lang.org/en/security/
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2

Comment 1 Pedro Sampaio 2022-11-30 16:50:57 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149707]
Affects: fedora-36 [bug 2149710]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149708]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2149709]

Comment 6 errata-xmlrpc 2023-05-24 08:55:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:3291 https://access.redhat.com/errata/RHSA-2023:3291

Comment 7 errata-xmlrpc 2023-06-27 14:57:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3821 https://access.redhat.com/errata/RHSA-2023:3821

Comment 8 Product Security DevOps Team 2023-06-27 19:28:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33621

Comment 9 errata-xmlrpc 2023-11-14 15:18:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7025 https://access.redhat.com/errata/RHSA-2023:7025

Comment 10 errata-xmlrpc 2024-03-19 18:37:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1431 https://access.redhat.com/errata/RHSA-2024:1431

Comment 11 errata-xmlrpc 2024-04-01 01:16:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1576 https://access.redhat.com/errata/RHSA-2024:1576


Note You need to log in before you can comment on or make changes to this bug.