CVSS v3.x: 7.5 (High)
- ~> 0.1.1
- ~> 0.2.1
- >= 0.3.1
The old versions of
CGI::Cookie.parse applied URL decoding to cookie names.
An attacker could exploit this vulnerability to spoof security prefixes in
cookie names, which may be able to trick a vulnerable application.
By this fix,
CGI::Cookie.parse no longer decodes cookie names. Note that
this is an incompatibility if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
This is the same issue of CVE-2020-8184.
If you are using Ruby 2.7 or 3.0:
- Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You
gem update cgito update it. If you are using bundler, please add
gem "cgi", ">= 0.3.1"
- Alternatively, please update Ruby to 2.7.5 or 3.0.3.
If you are using Ruby 2.6:
- Please update Ruby to 2.6.9. You cannot use
gem update cgifor Ruby 2.6 or prior.