Posted by mame on 24 Nov 2021
A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.
The old versions of
CGI::Cookie.parse applied URL decoding to cookie names.
An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.
By this fix,
CGI::Cookie.parse no longer decodes cookie names.
Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.
This is the same issue of CVE-2020-8184.
If you are using Ruby 2.7 or 3.0:
- Please update the cgi gem to version 0.3.1, 0.2.1, and 0.1.1 or later. You can use
gem update cgito update it. If you are using bundler, please add
gem "cgi", ">= 0.3.1"to your
- Alternatively, please update Ruby to 2.7.5 or 3.0.3.
If you are using Ruby 2.6:
- Please update Ruby to 2.6.9. You cannot use
gem update cgifor Ruby 2.6 or prior.
- ruby 2.6.8 or prior (You can not use
gem update cgifor this version.)
- cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
- cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
- cgi gem 0.3.0 or prior
Thanks to ooooooo_q for discovering this issue.
- Originally published at 2021-11-24 12:00:00 (UTC)