CVE-2021-41819

HIGH

Ruby CGI < 2.6.8 and CGI Gem < 0.3.1 - Cookie Security Prefix Bypass

Title source: llm

Description

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

References (6)

Core 6

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202401-27

Permissions Required, Third Party Advisory

https://hackerone.com/reports/910552

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220121-0003/

Exploit, Vendor Advisory

https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

Scores

CVSS v3 7.5

EPSS 0.0293

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-565

Status published

Products (17)

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 34

fedoraproject/fedora 35

opensuse/factory

opensuse/leap 15.2

redhat/enterprise_linux 8.0

redhat/software_collections

ruby-lang/cgi 0.1.0

... and 7 more

Published Jan 01, 2022

Tracked Since Feb 18, 2026