CVE-2021-41819

CVE-2021-41819

Name

CVE-2021-41819

Description

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://hackerone.com/reports/910552
CONFIRM	https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Third Party Advisory	https://security.netapp.com/advisory/ntap-20220121-0003/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
cve@mitre.org	https://security.gentoo.org/glsa/202401-27

Type

URI

MISC

https://hackerone.com/reports/910552

CONFIRM

https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220121-0003/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/

cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/

cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/

cve@mitre.org

https://security.gentoo.org/glsa/202401-27

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 3.0.0	< 3.0.3
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.7.0	< 2.7.5
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= None	<= 2.6.8
`cpe:2.3:a:ruby-lang:cgi:0.3.0:::::ruby::`	ruby-cgi	== None	== 0.3.0
`cpe:2.3:a:ruby-lang:cgi:0.2.0:::::ruby::`	ruby-cgi	== None	== 0.2.0
`cpe:2.3:a:ruby-lang:cgi:0.1.0:::::ruby::`	ruby-cgi	== None	== 0.1.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 3.0.0

< 3.0.3

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.7.0

< 2.7.5

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= None

<= 2.6.8

cpe:2.3:a:ruby-lang:cgi:0.3.0:*:*:*:*:ruby:*:*

ruby-cgi

== None

== 0.3.0

cpe:2.3:a:ruby-lang:cgi:0.2.0:*:*:*:*:ruby:*:*

ruby-cgi

== None

== 0.2.0

cpe:2.3:a:ruby-lang:cgi:0.1.0:*:*:*:*:ruby:*:*

ruby-cgi

== None

== 0.1.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
ruby	edge-main	3.0.3-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
ruby	edge-main	2.7.4-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
ruby	edge-main	2.7.4-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
ruby	edge-main	2.7.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
ruby	edge-main	2.7.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
ruby	edge-main	2.7.2-r0	None	possibly vulnerable
ruby	edge-main	2.6.6-r0	None	possibly vulnerable
ruby	edge-main	2.6.5-r0	None	possibly vulnerable
ruby	edge-main	2.5.2-r0	None	possibly vulnerable
ruby	edge-main	2.5.1-r0	None	possibly vulnerable
ruby	edge-main	2.4.3-r0	None	possibly vulnerable
ruby	edge-main	2.4.2-r0	None	possibly vulnerable
ruby	3.22-main	3.0.3-r0	None	fixed
ruby	3.22-main	2.7.4-r0	None	possibly vulnerable
ruby	3.22-main	2.7.3-r0	None	possibly vulnerable
ruby	3.22-main	2.7.2-r0	None	possibly vulnerable
ruby	3.22-main	2.6.6-r0	None	possibly vulnerable
ruby	3.22-main	2.6.5-r0	None	possibly vulnerable
ruby	3.22-main	2.5.2-r0	None	possibly vulnerable
ruby	3.22-main	2.5.1-r0	None	possibly vulnerable
ruby	3.22-main	2.4.3-r0	None	possibly vulnerable
ruby	3.22-main	2.4.2-r0	None	possibly vulnerable
ruby	3.21-main	3.0.3-r0	None	fixed
ruby	3.21-main	2.7.4-r0	None	possibly vulnerable
ruby	3.21-main	2.7.3-r0	None	possibly vulnerable
ruby	3.21-main	2.7.2-r0	None	possibly vulnerable
ruby	3.21-main	2.6.6-r0	None	possibly vulnerable
ruby	3.21-main	2.6.5-r0	None	possibly vulnerable
ruby	3.21-main	2.5.2-r0	None	possibly vulnerable
ruby	3.21-main	2.5.1-r0	None	possibly vulnerable
ruby	3.21-main	2.4.3-r0	None	possibly vulnerable
ruby	3.21-main	2.4.2-r0	None	possibly vulnerable
ruby	3.20-main	3.0.3-r0	None	fixed
ruby	3.20-main	2.7.4-r0	None	possibly vulnerable
ruby	3.20-main	2.7.3-r0	None	possibly vulnerable
ruby	3.20-main	2.7.2-r0	None	possibly vulnerable
ruby	3.20-main	2.6.6-r0	None	possibly vulnerable
ruby	3.20-main	2.6.5-r0	None	possibly vulnerable
ruby	3.20-main	2.5.2-r0	None	possibly vulnerable
ruby	3.20-main	2.5.1-r0	None	possibly vulnerable
ruby	3.20-main	2.4.3-r0	None	possibly vulnerable
ruby	3.20-main	2.4.2-r0	None	possibly vulnerable
ruby	3.19-main	3.0.3-r0	None	fixed
ruby	3.19-main	2.7.4-r0	None	possibly vulnerable
ruby	3.19-main	2.7.3-r0	None	possibly vulnerable
ruby	3.19-main	2.7.2-r0	None	possibly vulnerable
ruby	3.19-main	2.6.6-r0	None	possibly vulnerable
ruby	3.19-main	2.6.5-r0	None	possibly vulnerable
ruby	3.19-main	2.5.2-r0	None	possibly vulnerable
ruby	3.19-main	2.5.1-r0	None	possibly vulnerable
ruby	3.19-main	2.4.3-r0	None	possibly vulnerable
ruby	3.19-main	2.4.2-r0	None	possibly vulnerable
ruby	3.18-main	3.0.3-r0	None	fixed
ruby	3.17-main	3.0.3-r0	None	fixed
ruby	3.12-main	2.7.5-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

ruby

edge-main

3.0.3-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

ruby

edge-main