Описание
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby3.0 | fixed | 3.0.3-1 | package | |
| ruby2.7 | fixed | 2.7.5-1 | package | |
| ruby2.5 | removed | package | ||
| ruby2.3 | removed | package |
Примечания
Fixed in Ruby 3.0.3, 2.7.5, 2.6.9
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Fixed by: https://github.com/ruby/cgi/commit/052eb3a828b0f99bca39cfd800f6c2b91307dbd5 (v0.3.1)
EPSS
Связанные уязвимости
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
EPSS