{ "threat_severity" : "Moderate", "public_date" : "2021-11-24T00:00:00Z", "bugzilla" : { "description" : "ruby: Cookie prefix spoofing in CGI::Cookie.parse", "id" : "2026757", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2026757" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "details" : [ "CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.", "A flaw was found in Ruby. RubyGems cgi gem could allow a remote attacker to conduct spoofing attacks caused by the mishandling of security prefixes in cookie names in the CGI::Cookie.parse function. By sending a specially-crafted request, an attacker could perform cookie prefix spoofing attacks." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-02-16T00:00:00Z", "advisory" : "RHSA-2022:0543", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.6-8050020211215144356.c5368500" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-08-01T00:00:00Z", "advisory" : "RHSA-2022:5779", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.5-8060020220715152618.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6447", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.7-8060020220728151401.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6450", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.0-8060020220810162001.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date" : "2022-02-21T00:00:00Z", "advisory" : "RHSA-2022:0581", "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", "package" : "ruby:2.6-8010020220201152941.c27ad7f8" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date" : "2022-02-21T00:00:00Z", "advisory" : "RHSA-2022:0582", "cpe" : "cpe:/a:redhat:rhel_eus:8.2", "package" : "ruby:2.6-8020020220201131207.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date" : "2022-02-16T00:00:00Z", "advisory" : "RHSA-2022:0544", "cpe" : "cpe:/a:redhat:rhel_eus:8.4", "package" : "ruby:2.6-8040020220131135901.522a0ee4" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-02-28T00:00:00Z", "advisory" : "RHSA-2022:0708", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby26-ruby-0:2.6.9-120.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-10-11T00:00:00Z", "advisory" : "RHSA-2022:6855", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby30-ruby-0:3.0.4-149.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-10-11T00:00:00Z", "advisory" : "RHSA-2022:6856", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby27-ruby-0:2.7.6-131.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-41819\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41819" ], "name" : "CVE-2021-41819", "csaw" : false }