vulnerability
FreeBSD: VID-84ab03b6-6c20-11ed-b519-080027f5fec9 (CVE-2021-33621): rubygem-cgi -- HTTP response splitting vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Nov 24, 2022 | Nov 25, 2022 | Dec 10, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Nov 24, 2022
Added
Nov 25, 2022
Modified
Dec 10, 2025
Description
Hiroshi Tokumaru reports: If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.
Solutions
freebsd-upgrade-package-rubygem-cgifreebsd-upgrade-package-rubyfreebsd-upgrade-package-ruby27freebsd-upgrade-package-ruby30freebsd-upgrade-package-ruby31freebsd-upgrade-package-ruby32
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.