{ "threat_severity" : "Moderate", "public_date" : "2022-11-18T00:00:00Z", "bugzilla" : { "description" : "ruby/cgi-gem: HTTP response splitting in CGI", "id" : "2149706", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2149706" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-113", "details" : [ "The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.", "A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients." ], "statement" : "This vulnerability is marked as moderate because the flaw was more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-06-27T00:00:00Z", "advisory" : "RHSA-2023:3821", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.7-8080020230427102918.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7025", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.5-8090020230627084142.b46abd14" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-03-19T00:00:00Z", "advisory" : "RHSA-2024:1431", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.1-8090020240311122605.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3500", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.0-8100020240522072634.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-01T00:00:00Z", "advisory" : "RHSA-2024:1576", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ruby:3.1-9030020240320163942.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3838", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ruby-0:3.0.7-162.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-15T00:00:00Z", "advisory" : "RHSA-2024:4542", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "ruby-0:3.0.4-161.el9_2.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-05-24T00:00:00Z", "advisory" : "RHSA-2023:3291", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby27-ruby-0:2.7.8-132.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-ruby30-ruby", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-33621\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33621" ], "name" : "CVE-2021-33621", "csaw" : false }