CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

Posted by mame on 24 Nov 2021

A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.

Details

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

This is the same issue of CVE-2020-8184.

If you are using Ruby 2.7 or 3.0:

  • Please update the cgi gem to version 0.3.1, 0.2.1, and 0.1.1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile.
  • Alternatively, please update Ruby to 2.7.5 or 3.0.3.

If you are using Ruby 2.6:

  • Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 2.6 or prior.

Affected versions

  • ruby 2.6.8 or prior (You can not use gem update cgi for this version.)
  • cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
  • cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
  • cgi gem 0.3.0 or prior

Credits

Thanks to ooooooo_q for discovering this issue.

History

  • Originally published at 2021-11-24 12:00:00 (UTC)