CVE-2021-33621
HIGH8.8EPSS 1.0%HTTP response splitting in CGI
發布日:2022/11/19修改日:2026/4/28
也稱為:GHSA-vc47-6rqg-c7f5ALPINE-CVE-2021-33621BIT-ruby-2021-33621BIT-ruby-min-2021-33621CGA-qxj5-c8cc-w3rgDEBIAN-CVE-2021-33621
描述
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
受影響套件(8)
- Alpine/rubyfrom 0, < 2.7.7-r0
- Bitnami/ruby>= 2.7.0, < 2.7.7, >= 3.0.0, < 3.0.5, >= 3.1.0, < 3.1.3
- Bitnami/ruby-min>= 2.7.0, < 2.7.7, >= 3.0.0, < 3.0.5, >= 3.1.0, < 3.1.3
- Debian/ruby2.5from 0, < 2.5.5-3+deb10u6
- Debian/ruby2.7from 0, < 2.7.4-1+deb11u2
- Debian/ruby2.7from 0, < 2.7.4-1+deb11u2
- Debian/ruby3.1from 0, < 3.1.2-4
- RubyGems/cgi>= 0.3.0, < 0.3.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(21)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33621
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-33621
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-33621
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
- WEBhttps://hackerone.com/reports/1204695
- WEBhttps://lists.debian.org/debian-lts-announce/2023/06/msg00012.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
- WEBhttps://security.gentoo.org/glsa/202401-27
- WEBhttps://security.netapp.com/advisory/ntap-20221228-0004
- WEBhttps://security.netapp.com/advisory/ntap-20221228-0004/
- WEBhttps://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621
- WEBhttps://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/