CVE-2021-33621

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

CVSS v3.0 8.8 HIGH

8.8^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/	Exploit Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20221228-0004/	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:cgi::::::ruby::*
	cpe:2.3:a:ruby-lang:cgi::::::ruby::*
	cpe:2.3:a:ruby-lang:cgi::::::ruby::*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::

Information

Published : 2022-11-18 23:15

Updated : 2023-08-08 14:21

NVD link : CVE-2021-33621

Mitre link : CVE-2021-33621

JSON object : View

Products Affected

ruby-lang

cgi
ruby

fedoraproject

fedora

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/", "name": "https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/", "tags": ["Exploit", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/", "name": "FEDORA-2022-f0f6c6bec2", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/", "name": "FEDORA-2022-ef96a58bbe", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/", "name": "FEDORA-2022-b9b710f199", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://security.netapp.com/advisory/ntap-20221228-0004/", "name": "https://security.netapp.com/advisory/ntap-20221228-0004/", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html", "name": "[debian-lts-announce] 20230609 [SECURITY] [DLA 3450-1] ruby2.5 security update", "tags": [], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-74"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-33621", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}}, "publishedDate": "2022-11-18T23:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.2.2", "versionStartIncluding": "0.2.0"}, {"cpe23Uri": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.1.0.2"}, {"cpe23Uri": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.3.5", "versionStartIncluding": "0.3.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.1.0"}, {"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0"}, {"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.7.7", "versionStartIncluding": "2.7.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-08-08T14:21Z"}