GHSA-4vf4-qmvg-mh7h

Source

https://github.com/advisories/GHSA-4vf4-qmvg-mh7h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-4vf4-qmvg-mh7h/GHSA-4vf4-qmvg-mh7h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4vf4-qmvg-mh7h

Aliases

Published

2022-01-21T23:22:17Z

Modified

2024-02-21T05:19:34.866265Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Cookie Prefix Spoofing in CGI::Cookie.parse

Details

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.

References

Affected packages

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.0

Fixed

0.3.1

Affected versions

0.*

0.3.0

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.2.1

Affected versions

0.*

0.2.0

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.0.1

Affected versions

0.*

0.1.0