Cookie Prefix Spoofing in CGI::Cookie.parse

GHSA-4vf4-qmvg-mh7h · BIT-ruby-2021-41819 · BIT-ruby-min-2021-41819 · CVE-2021-41819

Published Jan 21, 2022 · Modified Jan 27, 2025

Description

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-41819
WEB https://hackerone.com/reports/910552
PACKAGE https://github.com/ruby/cgi
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-41819.yml
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF
WEB https://security.gentoo.org/glsa/202401-27
WEB https://security.netapp.com/advisory/ntap-20220121-0003
WEB https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes