{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-33621", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:58:21.531Z", "dateReserved": "2021-05-28T00:00:00", "datePublished": "2022-11-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-01-24T05:06:28.299372"}, "descriptions": [{"lang": "en", "value": "The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/"}, {"name": "FEDORA-2022-ef96a58bbe", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/"}, {"name": "FEDORA-2022-f0f6c6bec2", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/"}, {"name": "FEDORA-2022-b9b710f199", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/"}, {"url": "https://security.netapp.com/advisory/ntap-20221228-0004/"}, {"name": "[debian-lts-announce] 20230609 [SECURITY] [DLA 3450-1] ruby2.5 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html"}, {"name": "GLSA-202401-27", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-27"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:58:21.531Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-ef96a58bbe", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/"}, {"name": "FEDORA-2022-f0f6c6bec2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/"}, {"name": "FEDORA-2022-b9b710f199", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/"}, {"url": "https://security.netapp.com/advisory/ntap-20221228-0004/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230609 [SECURITY] [DLA 3450-1] ruby2.5 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html"}, {"name": "GLSA-202401-27", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-27"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "CABF5DC4-7B4F-4548-B2DF-914B096246B8", "versionEndExcluding": "0.1.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "E6B2E611-4DD9-4265-AC1E-AA10826582D2", "versionEndExcluding": "0.2.2", "versionStartIncluding": "0.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "A6DA6066-2A67-4EE2-934F-3A0CF3D66AA7", "versionEndExcluding": "0.3.5", "versionStartIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "3553CC40-CE13-48A8-B959-0C0B96F1FAD1", "versionEndExcluding": "2.7.7", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "3047B1E3-1CB1-4270-AB66-CF194AECB87E", "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "576D85B3-8EA3-42F8-89FE-316057C9971D", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object."}, {"lang": "es", "value": "La gema cgi anterior a 0.1.0.2, 0.2.x anterior a 0.2.2 y 0.3.x anterior a 0.3.5 para Ruby permite la divisi\u00f3n de respuestas HTTP. Esto es relevante para aplicaciones que utilizan entradas de usuarios que no son de confianza, ya sea para generar una respuesta HTTP o para crear un objeto CGI::Cookie."}], "id": "CVE-2021-33621", "lastModified": "2024-01-24T05:15:10.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-18T23:15:18.987", "references": [{"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202401-27"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221228-0004/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3821", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.7-8080020230427102918.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-06-27T00:00:00Z"}, {"advisory": "RHSA-2023:7025", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8090020230627084142.b46abd14", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:1431", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.1-8090020240311122605.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:3500", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.0-8100020240522072634.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-30T00:00:00Z"}, {"advisory": "RHSA-2024:1576", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.1-9030020240320163942.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-01T00:00:00Z"}, {"advisory": "RHSA-2024:3838", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby-0:3.0.7-162.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:4542", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "ruby-0:3.0.4-161.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-15T00:00:00Z"}, {"advisory": "RHSA-2023:3291", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby27-ruby-0:2.7.8-132.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2023-05-24T00:00:00Z"}], "bugzilla": {"description": "ruby/cgi-gem: HTTP response splitting in CGI", "id": "2149706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149706"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-113", "details": ["The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.", "A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients."], "name": "CVE-2021-33621", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ruby30-ruby", "product_name": "Red Hat Software Collections"}], "public_date": "2022-11-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33621\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33621"], "statement": "This vulnerability is marked as moderate because the flaw was more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.", "threat_severity": "Moderate"}