GHSA-vc47-6rqg-c7f5

Source

https://github.com/advisories/GHSA-vc47-6rqg-c7f5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-vc47-6rqg-c7f5/GHSA-vc47-6rqg-c7f5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc47-6rqg-c7f5

Aliases

Related

CGA-f83j-67rw-2p75

Published

2022-11-19T00:30:55Z

Modified

2024-09-11T06:12:44.306521Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

HTTP response splitting in CGI

Details

Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

References

Affected packages

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.0

Fixed

0.3.5

Affected versions

0.*

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.2.2

Affected versions

0.*

0.2.0

0.2.1

RubyGems / cgi

Package

Name: cgi
Purl: pkg:gem/cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.0.2

Affected versions

0.*

0.1.0

0.1.0.1