PublicDateAtUSN: 2022-01-01 06:15:00 UTC
Candidate: CVE-2021-41819
PublicDate: 2022-01-01 06:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819
 https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
 https://github.com/ruby/cgi/commit/052eb3a828b0f99bca39cfd800f6c2b91307dbd5
 https://ubuntu.com/security/notices/USN-5235-1
Description:
 CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in
 cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_ruby3.0:
upstream_ruby3.0: needs-triage
trusty_ruby3.0: ignored (out of standard support)
xenial_ruby3.0: ignored (out of standard support)
jammy_ruby3.0: released (3.0.2-7ubuntu2)
devel_ruby3.0: released (3.0.2-7ubuntu2)

Patches_ruby2.7:
upstream_ruby2.7: needs-triage
trusty_ruby2.7: ignored (out of standard support)
xenial_ruby2.7: ignored (out of standard support)
focal_ruby2.7: released (2.7.0-5ubuntu1.6)
hirsute_ruby2.7: released (2.7.2-4ubuntu1.3)
impish_ruby2.7: released (2.7.4-1ubuntu3.1)

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
trusty_ruby2.5: ignored (out of standard support)
xenial_ruby2.5: ignored (out of standard support)
bionic_ruby2.5: released (2.5.1-1ubuntu1.11)

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
esm-infra/xenial_ruby2.3: released (2.3.1-2~ubuntu16.04.16+esm2)
trusty_ruby2.3: ignored (out of standard support)
xenial_ruby2.3: ignored (out of standard support)