CVE-2021-33621
ruby/cgi-gem: HTTP response splitting in CGI
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
La gema cgi anterior a 0.1.0.2, 0.2.x anterior a 0.2.2 y 0.3.x anterior a 0.3.5 para Ruby permite la divisiĆ³n de respuestas HTTP. Esto es relevante para aplicaciones que utilizan entradas de usuarios que no son de confianza, ya sea para generar una respuesta HTTP o para crear un objeto CGI::Cookie.
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-28 CVE Reserved
- 2022-11-18 CVE Published
- 2024-07-09 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20221228-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621 | 2024-08-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ruby-lang Search vendor "Ruby-lang" | Cgi Search vendor "Ruby-lang" for product "Cgi" | < 0.1.0.2 Search vendor "Ruby-lang" for product "Cgi" and version " < 0.1.0.2" | ruby |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Cgi Search vendor "Ruby-lang" for product "Cgi" | >= 0.2.0 < 0.2.2 Search vendor "Ruby-lang" for product "Cgi" and version " >= 0.2.0 < 0.2.2" | ruby |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Cgi Search vendor "Ruby-lang" for product "Cgi" | >= 0.3.0 < 0.3.5 Search vendor "Ruby-lang" for product "Cgi" and version " >= 0.3.0 < 0.3.5" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.7.0 < 2.7.7 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.7.0 < 2.7.7" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 3.0.0 < 3.0.5 Search vendor "Ruby-lang" for product "Ruby" and version " >= 3.0.0 < 3.0.5" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 3.1.0 < 3.1.3 Search vendor "Ruby-lang" for product "Ruby" and version " >= 3.1.0 < 3.1.3" | - |
Affected
| ||||||