CVE-2021-33621

Published: Nov 18, 2022Modified: Nov 4, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Affected (9)

Products: Ruby Lang: Cgi, Ruby · Fedoraproject: Fedora

2 products

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Cgi	Before 0.1.0.2
Ruby Lang Cgi	From 0.2.0 to 0.2.2
Ruby Lang Cgi	From 0.3.0 to 0.3.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36
Fedoraproject Fedora	Version 37

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	From 2.7.0 to 2.7.7
Ruby Lang Ruby	From 3.0.0 to 3.0.5
Ruby Lang Ruby	From 3.1.0 to 3.1.3

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (15)

https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202401-27

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20221228-0004/

Source: cve@mitre.org

Third Party Advisory

https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/

Source: cve@mitre.org

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html