cgi 0.1.0
Cookie Prefix Spoofing in CGI::Cookie.parse
high severity CVE-2021-41819~> 0.1.0.1
, ~> 0.1.1
, ~> 0.2.1
, >= 0.3.1
The old versions of CGI::Cookie.parse
applied URL decoding to cookie names.
An attacker could exploit this vulnerability to spoof security prefixes in
cookie names, which may be able to trick a vulnerable application.
By this fix, CGI::Cookie.parse
no longer decodes cookie names. Note that
this is an incompatibility if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
This is the same issue of CVE-2020-8184.
If you are using Ruby 2.7 or 3.0:
- Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You
can use
gem update cgi
to update it. If you are using bundler, please addgem "cgi", ">= 0.3.1"`` to your
Gemfile`. - Alternatively, please update Ruby to 2.7.5 or 3.0.3.
If you are using Ruby 2.6:
- Please update Ruby to 2.6.9. You cannot use
gem update cgi
for Ruby 2.6 or prior.
Buffer Overrun in CGI.escape_html
high severity CVE-2021-41816~> 0.1.0.1
, ~> 0.1.1
, ~> 0.2.1
, >= 0.3.1
A security vulnerability that causes buffer overflow when you pass a very large
string (> 700 MB) to CGI.escape_html
on a platform where long
type takes 4 bytes,
typically, Windows.
Please update the cgi gem to version 0.3.1, 0.2.1, and 0.1.1 or later. You can use
gem update cgi
to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1"
to your Gemfile
. Alternatively, please update Ruby to 2.7.5 or 3.0.3.
This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.
HTTP response splitting in CGI
high severity CVE-2021-33621~> 0.1.0.2
, ~> 0.2.2
, >= 0.3.5
cgi.rb in Ruby through 2.6.x, through 3.0x, and through 3.1.x allows HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.