CVE-2021-33621

NameCVE-2021-33621
DescriptionThe cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3450-1
Debian Bugs1024799, 1024800

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.5 (PTS)buster2.5.5-3+deb10u4vulnerable
buster (security)2.5.5-3+deb10u6fixed
ruby2.7 (PTS)bullseye (security), bullseye2.7.4-1+deb11u1vulnerable
ruby3.1 (PTS)bookworm, sid, trixie3.1.2-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.5sourcebuster2.5.5-3+deb10u6DLA-3450-1
ruby2.5source(unstable)(unfixed)
ruby2.7source(unstable)(unfixed)
ruby3.0source(unstable)(unfixed)1024800
ruby3.1source(unstable)3.1.2-41024799

Notes

[bullseye] - ruby2.7 <no-dsa> (Minor issue)
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
Fixed by: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (v0.3.4)
Possible followup needed: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (v0.3.5)
Fixed in Ruby 3.1.3, 3.0.5 and 2.2.7
Search for package or bug name: Reporting problems