[FREEBSD:4548EC97-4D38-11EC-A539-0800270512F4] rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

Severity High

Affected Packages 5

CVEs 1

ooooooo_q reports:

    The old versions of CGI::Cookie.parse applied
    URL decoding to cookie names. An attacker could exploit
    this vulnerability to spoof security prefixes in cookie
    names, which may be able to trick a vulnerable
    application.


    By this fix, CGI::Cookie.parse no longer
    decodes cookie names. Note that this is an incompatibility
    if cookie names that you are using include
    non-alphanumeric characters that are URL-encoded.

Package	Affected Version
pkg:freebsd/rubygem-cgi	< 0.3.1
pkg:freebsd/ruby30	< 3.0.3,1
pkg:freebsd/ruby27	< 2.7.5,1
pkg:freebsd/ruby26	< 2.6.9,1
pkg:freebsd/ruby	< 2.6.9,1

ID

FREEBSD:4548EC97-4D38-11EC-A539-0800270512F4

Severity

high

Severity from

CVE-2021-41819

URL

http://vuxml.freebsd.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html

Published

2021-11-24T00:00:00
(2 years ago)

Modified

2021-11-24T00:00:00
(2 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/rubygem-cgi	rubygem-cgi	< 0.3.1
Affected	pkg:freebsd/ruby30	ruby30	< 3.0.3,1
Affected	pkg:freebsd/ruby27	ruby27	< 2.7.5,1
Affected	pkg:freebsd/ruby26	ruby26	< 2.6.9,1
Affected	pkg:freebsd/ruby	ruby	< 2.6.9,1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date