CVE-2021-33621
HIGH8.8EPSS 1.0%HTTP response splitting in CGI
Published: 11/19/2022Modified: 4/28/2026
Also known as:GHSA-vc47-6rqg-c7f5ALPINE-CVE-2021-33621BIT-ruby-2021-33621BIT-ruby-min-2021-33621CGA-qxj5-c8cc-w3rgDEBIAN-CVE-2021-33621
Description
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Affected packages (8)
- Alpine/rubyfrom 0, < 2.7.7-r0
- Bitnami/ruby>= 2.7.0, < 2.7.7, >= 3.0.0, < 3.0.5, >= 3.1.0, < 3.1.3
- Bitnami/ruby-min>= 2.7.0, < 2.7.7, >= 3.0.0, < 3.0.5, >= 3.1.0, < 3.1.3
- Debian/ruby2.5from 0, < 2.5.5-3+deb10u6
- Debian/ruby2.7from 0, < 2.7.4-1+deb11u2
- Debian/ruby2.7from 0, < 2.7.4-1+deb11u2
- Debian/ruby3.1from 0, < 3.1.2-4
- RubyGems/cgi>= 0.3.0, < 0.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (21)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33621
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-33621
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-33621
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
- WEBhttps://hackerone.com/reports/1204695
- WEBhttps://lists.debian.org/debian-lts-announce/2023/06/msg00012.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
- WEBhttps://security.gentoo.org/glsa/202401-27
- WEBhttps://security.netapp.com/advisory/ntap-20221228-0004
- WEBhttps://security.netapp.com/advisory/ntap-20221228-0004/
- WEBhttps://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621
- WEBhttps://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/