Description
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Related CPE's
a
ruby-lang
cgi
3
o
fedoraproject
fedora
3
a
ruby-lang
ruby
3
References
https://security.netapp.com/advisory/ntap-20221228-0004/
Third Party Advisory
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
ExploitThird Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 · High
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2022-11-18T23:15:18.987
2 years agoLast modified
2024-01-24T05:15:10.787
1 year ago