Description
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
References (6)
Scores
CVSS v3
7.5
EPSS
0.0076
EPSS Percentile
73.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-565
Status
published
Products (17)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
34
fedoraproject/fedora
35
opensuse/factory
opensuse/leap
15.2
redhat/enterprise_linux
8.0
redhat/software_collections
ruby-lang/cgi
0.1.0
... and 7 more
Published
Jan 01, 2022
Tracked Since
Feb 18, 2026