CVE-2021-33621

HIGH

cgi <0.1.0.2, <0.2.x -<0.2.2, <0.3.x -<0.3.5 - XSS

Title source: llm

Description

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

References (8)

Core 8

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202401-27

Mailing List

https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221228-0004/

Exploit, Third Party Advisory

https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/

Scores

CVSS v3 8.8

EPSS 0.0137

EPSS Percentile 80.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (6)

fedoraproject/fedora 35

fedoraproject/fedora 36

fedoraproject/fedora 37

ruby-lang/cgi < 0.1.0.2

ruby-lang/ruby 2.7.0 - 2.7.7

rubygems/cgi 0.3.0 - 0.3.5RubyGems

Published Nov 18, 2022

Tracked Since Feb 18, 2026