CVE-2021-33621

NameCVE-2021-33621
DescriptionThe cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3450-1, DLA-3858-1, ELA-1148-1, ELA-1149-1
Debian Bugs1024799, 1024800

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.1 (PTS)jessie, jessie (lts)2.1.5-2+deb8u14fixed
ruby2.3 (PTS)stretch (security)2.3.3-1+deb9u11vulnerable
stretch (lts), stretch2.3.3-1+deb9u12fixed
ruby2.5 (PTS)buster, buster (lts)2.5.5-3+deb10u7fixed
buster (security)2.5.5-3+deb10u6fixed
ruby2.7 (PTS)bullseye2.7.4-1+deb11u1vulnerable
bullseye (security)2.7.4-1+deb11u2fixed
ruby3.1 (PTS)bookworm (security), bookworm3.1.2-7+deb12u1fixed
sid, trixie3.1.2-8.4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.1sourcejessie2.1.5-2+deb8u14ELA-1148-1
ruby2.1source(unstable)(unfixed)
ruby2.3sourcestretch2.3.3-1+deb9u12ELA-1149-1
ruby2.3source(unstable)(unfixed)
ruby2.5sourcebuster2.5.5-3+deb10u6DLA-3450-1
ruby2.5source(unstable)(unfixed)
ruby2.7sourcebullseye2.7.4-1+deb11u2DLA-3858-1
ruby2.7source(unstable)(unfixed)
ruby3.0source(unstable)(unfixed)1024800
ruby3.1source(unstable)3.1.2-41024799

Notes

https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
Fixed by: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (v0.3.4)
Possible followup needed: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (v0.3.5)
Fixed in Ruby 3.1.3, 3.0.5 and 2.7.7

Search for package or bug name: Reporting problems