[FREEBSD:4548EC97-4D38-11EC-A539-0800270512F4] rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
Severity
High
Affected Packages
5
CVEs
1
ooooooo_q reports:
The old versions of CGI::Cookie.parse applied
URL decoding to cookie names. An attacker could exploit
this vulnerability to spoof security prefixes in cookie
names, which may be able to trick a vulnerable
application.
By this fix, CGI::Cookie.parse no longer
decodes cookie names. Note that this is an incompatibility
if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
Package | Affected Version |
---|---|
pkg:freebsd/rubygem-cgi | < 0.3.1 |
pkg:freebsd/ruby30 | < 3.0.3,1 |
pkg:freebsd/ruby27 | < 2.7.5,1 |
pkg:freebsd/ruby26 | < 2.6.9,1 |
pkg:freebsd/ruby | < 2.6.9,1 |
- ID
- FREEBSD:4548EC97-4D38-11EC-A539-0800270512F4
- Severity
- high
- Severity from
- CVE-2021-41819
- URL
- http://vuxml.freebsd.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
- Published
-
2021-11-24T00:00:00
(2 years ago) - Modified
-
2021-11-24T00:00:00
(2 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
- ALAS2-2024-2486
- ALPINE:CVE-2021-41819
- ALSA-2022:0543
- ALSA-2022:5779
- ALSA-2022:6447
- ALSA-2022:6450
- DSA-5066-1
- DSA-5067-1
- ELSA-2022-0543
- ELSA-2022-5779
- ELSA-2022-6447
- ELSA-2022-6450
- FEDORA-2022-82a9edac27
- FEDORA-2022-8cf0124add
- GLSA-202401-27
- MS:CVE-2021-41819
- RHSA-2022:0543
- RHSA-2022:5779
- RHSA-2022:6447
- RHSA-2022:6450
- RLSA-2022:0543
- RLSA-2022:5779
- RLSA-2022:6447
- RLSA-2022:6450
- RUBYSEC:CGI-2021-41819
- SUSE-SU-2022:3292-1
- USN-5235-1
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:freebsd/rubygem-cgi | rubygem-cgi | < 0.3.1 | ||||
Affected | pkg:freebsd/ruby30 | ruby30 | < 3.0.3,1 | ||||
Affected | pkg:freebsd/ruby27 | ruby27 | < 2.7.5,1 | ||||
Affected | pkg:freebsd/ruby26 | ruby26 | < 2.6.9,1 | ||||
Affected | pkg:freebsd/ruby | ruby | < 2.6.9,1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |