CVE-2021-33621

Name	CVE-2021-33621
Description	The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3450-1, DLA-3858-1, ELA-1148-1, ELA-1149-1
Debian Bugs	1024799, 1024800

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby2.1 (PTS)	jessie, jessie (lts)	2.1.5-2+deb8u14	fixed
ruby2.3 (PTS)	stretch (security)	2.3.3-1+deb9u11	vulnerable
	stretch (lts), stretch	2.3.3-1+deb9u12	fixed
ruby2.5 (PTS)	buster, buster (lts)	2.5.5-3+deb10u7	fixed
	buster (security)	2.5.5-3+deb10u6	fixed
ruby2.7 (PTS)	bullseye	2.7.4-1+deb11u1	vulnerable
	bullseye (security)	2.7.4-1+deb11u2	fixed
ruby3.1 (PTS)	bookworm (security), bookworm	3.1.2-7+deb12u1	fixed
	sid, trixie	3.1.2-8.4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby2.1	source	jessie	2.1.5-2+deb8u14	ELA-1148-1
ruby2.1	source	(unstable)	(unfixed)
ruby2.3	source	stretch	2.3.3-1+deb9u12	ELA-1149-1
ruby2.3	source	(unstable)	(unfixed)
ruby2.5	source	buster	2.5.5-3+deb10u6	DLA-3450-1
ruby2.5	source	(unstable)	(unfixed)
ruby2.7	source	bullseye	2.7.4-1+deb11u2	DLA-3858-1
ruby2.7	source	(unstable)	(unfixed)
ruby3.0	source	(unstable)	(unfixed)		1024800
ruby3.1	source	(unstable)	3.1.2-4		1024799

Notes

https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
Fixed by: https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 (v0.3.4)
Possible followup needed: https://github.com/ruby/cgi/commit/b46d41c36380e04f6388970b5ef05c687f4d1819 (v0.3.5)
Fixed in Ruby 3.1.3, 3.0.5 and 2.7.7