Bug 2026757 (CVE-2021-41819) - CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
Summary: CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-41819
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2026758 2026759 2026760 2026761 2026762 2026763 2028512 2028513 2028514 2028515 2028516 2028517 2028518 2030657 2030658 2053066 2053067 2053068 2053069 2057449 2100523 2109426 2122989 2123022 2128625 2128632
Blocks: 2026764
TreeView+ depends on / blocked
 
Reported: 2021-11-25 18:12 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-03-16 14:24 UTC (History)
20 users (show)

Fixed In Version: cgi 0.3.1, cgi 0.2.1, cgi 0.1.1, ruby 3.0.3, ruby 2.7.5, ruby 2.6.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ruby. RubyGems cgi gem could allow a remote attacker to conduct spoofing attacks caused by the mishandling of security prefixes in cookie names in the CGI::Cookie.parse function. By sending a specially-crafted request, an attacker could perform cookie prefix spoofing attacks.
Clone Of:
Environment:
Last Closed: 2022-03-03 01:50:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0593 0 None None None 2022-02-22 12:52:09 UTC
Red Hat Product Errata RHSA-2022:0543 0 None None None 2022-02-16 11:34:56 UTC
Red Hat Product Errata RHSA-2022:0544 0 None None None 2022-02-16 11:35:36 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:47 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:43 UTC
Red Hat Product Errata RHSA-2022:0708 0 None None None 2022-02-28 18:56:59 UTC
Red Hat Product Errata RHSA-2022:5779 0 None None None 2022-08-01 12:11:09 UTC
Red Hat Product Errata RHSA-2022:6447 0 None None None 2022-09-13 09:44:01 UTC
Red Hat Product Errata RHSA-2022:6450 0 None None None 2022-09-13 09:45:05 UTC
Red Hat Product Errata RHSA-2022:6855 0 None None None 2022-10-11 07:31:28 UTC
Red Hat Product Errata RHSA-2022:6856 0 None None None 2022-10-11 07:32:44 UTC

Description Guilherme de Almeida Suckevicz 2021-11-25 18:12:57 UTC
The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184.

Reference:
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

Comment 1 Guilherme de Almeida Suckevicz 2021-11-25 18:13:41 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026759]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 2026762]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 2026761]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026758]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-35 [bug 2026763]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026760]

Comment 2 Garrett Tucker 2021-12-02 14:39:24 UTC
The decoding attack present in this flaw is present in all shipped versions of RHEL 6 - 9 and RHSCL. This flaw was present due to URL decoding being applied to cookie names. This provided the ability for an attacker to exploit this decoding to spoof security prefixes which could allow some applications to be fooled by the spoofed security prefixes.

Comment 5 errata-xmlrpc 2022-02-16 11:34:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543

Comment 6 errata-xmlrpc 2022-02-16 11:35:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544

Comment 7 errata-xmlrpc 2022-02-21 10:11:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 8 errata-xmlrpc 2022-02-21 10:12:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582

Comment 9 errata-xmlrpc 2022-02-28 18:56:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708

Comment 10 Product Security DevOps Team 2022-03-03 01:50:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41819

Comment 11 Jun Aruga 2022-06-24 15:53:52 UTC
I updated the "Fixed In Version" field based on the upstream info below.
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

Comment 16 errata-xmlrpc 2022-08-01 12:11:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779

Comment 18 errata-xmlrpc 2022-09-13 09:43:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447

Comment 19 errata-xmlrpc 2022-09-13 09:45:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450

Comment 20 errata-xmlrpc 2022-10-11 07:31:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855

Comment 21 errata-xmlrpc 2022-10-11 07:32:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856


Note You need to log in before you can comment on or make changes to this bug.