RubySec

Providing security resources for the Ruby community

CVE-2021-33621 (cgi): HTTP response splitting in CGI

ADVISORIES

GEM

cgi

SEVERITY

CVSS v3.x: 8.8 (High)

PATCHED VERSIONS

  • ~> 0.1.0.2
  • ~> 0.2.2
  • >= 0.3.5

DESCRIPTION

cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.