CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 1CVE-2021-33621 – ruby/cgi-gem: HTTP response splitting in CGI
https://notcve.org/view.php?id=CVE-2021-33621
18 Nov 2022 — The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. La gema cgi anterior a 0.1.0.2, 0.2.x anterior a 0.2.2 y 0.3.x anterior a 0.3.5 para Ruby permite la división de respuestas HTTP. Esto es relevante para aplicaciones que utilizan entradas de usuarios que no son de confianza, ya sea para generar una respuesta HTTP o ... • https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 1CVE-2021-41816 – ruby: buffer overflow in CGI.escape_html
https://notcve.org/view.php?id=CVE-2021-41816
19 Jan 2022 — CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby. El archivo CGI.escape_html en Ruby versiones anteriores a 2.7.5 y 3.x versiones anteriores a 3.0.3, presenta un desbordamiento de enteros y un desbordamiento de búfer resultante por medio de una cadena larga en plataformas (como Windows) donde... • https://hackerone.com/reports/1328463 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 1CVE-2021-41819 – ruby: Cookie prefix spoofing in CGI::Cookie.parse
https://notcve.org/view.php?id=CVE-2021-41819
01 Jan 2022 — CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. CGI::Cookie.parse en Ruby versiones hasta 2.6.8, maneja inapropiadamente los prefijos de seguridad en los nombres de las cookies. Esto también afecta a CGI gem versiones hasta 0.3.0 para Ruby. A flaw was found in Ruby. • https://hackerone.com/reports/910552 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •