Bug 1193081 (CVE-2021-41819) - VUL-0: CVE-2021-41819: ruby, ruby2.1, ruby2.5, ruby2.7, ruby3.0: Cookie Prefix Spoofing in CGI::Cookie.parse
Summary: VUL-0: CVE-2021-41819: ruby, ruby2.1, ruby2.5, ruby2.7, ruby3.0: Cookie Prefi...
Status: RESOLVED FIXED
Alias: CVE-2021-41819
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/315864/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41819:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-25 12:22 UTC by Thomas Leroy
Modified: 2023-04-12 00:43 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-11-25 12:22:55 UTC
A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.

Details
The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

This is the same issue of CVE-2020-8184.

If you are using Ruby 2.7 or 3.0:

Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile.
Alternatively, please update Ruby to 2.7.5 or 3.0.3.
If you are using Ruby 2.6:

Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 2.6 or prior.
Affected versions
ruby 2.6.8 or prior (You can not use gem update cgi for this version.)
cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
cgi gem 0.3.0 or prior
Comment 1 OBSbugzilla Bot 2021-11-25 13:40:21 UTC
This is an autogenerated message for OBS integration:
This bug (1193081) was mentioned in
https://build.opensuse.org/request/show/933749 Factory / ruby3.0
https://build.opensuse.org/request/show/933750 Factory / ruby2.7
Comment 8 Swamp Workflow Management 2022-09-16 19:23:03 UTC
SUSE-SU-2022:3292-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193081
CVE References: CVE-2021-41819
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ruby2.5-2.5.9-150000.4.26.1
openSUSE Leap 15.3 (src):    ruby2.5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ruby2.5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ruby2.5-2.5.9-150000.4.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.