CVE-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://hackerone.com/reports/910552	Permissions Required Third Party Advisory
https://hackerone.com/reports/910552	Permissions Required Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
https://security.gentoo.org/glsa/202401-27
https://security.gentoo.org/glsa/202401-27
https://security.netapp.com/advisory/ntap-20220121-0003/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220121-0003/	Third Party Advisory
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/	Exploit Vendor Advisory
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:cgi:0.3.0:::::ruby::
	cpe:2.3:a:ruby-lang:cgi:0.2.0:::::ruby::
	cpe:2.3:a:ruby-lang:cgi:0.1.0:::::ruby::
	cpe:2.3:a:ruby-lang:ruby::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:a:redhat:software_collections:-:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:suse:linux_enterprise:12.0:::::::*
	cpe:2.3:o:suse:linux_enterprise:15.0:::::::*
	cpe:2.3:o:suse:linux_enterprise:11.0:sp1::::::

Configuration 5 (hide)

OR	cpe:2.3:a:opensuse:factory:-:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

Configuration 6 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

History

22 May 2025, 15:15

Type	Values Removed	Values Added
References	~~(MISC) https://hackerone.com/reports/910552 - Permissions Required, Third Party Advisory~~	() https://hackerone.com/reports/910552 - Permissions Required, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220121-0003/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20220121-0003/ - Third Party Advisory
References	~~(CONFIRM) https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ - Exploit, Vendor Advisory~~	() https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ - Exploit, Vendor Advisory

24 Jan 2024, 05:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202401-27 -

07 Nov 2023, 03:39

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/', 'name': 'FEDORA-2022-82a9edac27', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/', 'name': 'FEDORA-2022-8cf0124add', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/ -

Information

Published : 2022-01-01 06:15

Updated : 2025-05-22 15:15

NVD link : CVE-2021-41819

Mitre link : CVE-2021-41819

JSON object : View

Products Affected

debian

debian_linux

redhat

enterprise_linux
software_collections

opensuse

factory
leap

fedoraproject

fedora

ruby-lang

cgi
ruby

suse

linux_enterprise

CWE

CWE-565

Reliance on Cookies without Validation and Integrity Checking

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-41819

7.5^/10

5.0^/10

Attach tags to `CVE-2021-41819`