{"id":"CVE-2021-41819","details":"CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.","aliases":["BIT-ruby-2021-41819","BIT-ruby-min-2021-41819","GHSA-4vf4-qmvg-mh7h"],"modified":"2026-03-12T02:16:38.618592901Z","published":"2022-01-01T06:15:07.293Z","related":["ALSA-2022:0543","ALSA-2022:5779","ALSA-2022:6447","ALSA-2022:6450","MGASA-2021-0579","SUSE-SU-2022:3292-1","openSUSE-SU-2024:11657-1","openSUSE-SU-2024:11658-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15819-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"},{"type":"ADVISORY","url":"https://hackerone.com/reports/910552"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-27"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220121-0003/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"},{"type":"REPORT","url":"https://hackerone.com/reports/910552"},{"type":"EVIDENCE","url":"https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"647ee6f091eafcce70ffb75ddf7e121e192ab217"},{"fixed":"f69aeb83146be640995753667fdd6c6f157527f5"},{"introduced":"95aff214687a5e12c3eb57d056665741e734c188"},{"fixed":"3fb7d2cadc18472ec107b14234933b017a33c14d"}]}],"versions":["v2_7_0","v2_7_1","v2_7_2","v2_7_3","v2_7_4","v3_0_0","v3_0_1","v3_0_2"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","id":"CVE-2021-41819-11445fd0","digest":{"threshold":0.9,"line_hashes":["221608888545214764521643589590002473795","62837079863855754692353823286478885059","151633818343694841750591657495653307518","112628295566100827065348454738811594068"]},"target":{"file":"ext/cgi/escape/escape.c"},"source":"https://github.com/ruby/ruby/commit/3fb7d2cadc18472ec107b14234933b017a33c14d","deprecated":false,"signature_version":"v1"},{"id":"CVE-2021-41819-2f76299c","deprecated":false,"digest":{"function_hash":"185553476159107413192269642060714357735","length":658},"target":{"file":"ext/cgi/escape/escape.c","function":"optimized_escape_html"},"source":"https://github.com/ruby/ruby/commit/f69aeb83146be640995753667fdd6c6f157527f5","signature_type":"Function","signature_version":"v1"},{"deprecated":false,"id":"CVE-2021-41819-799f160e","digest":{"threshold":0.9,"line_hashes":["221608888545214764521643589590002473795","62837079863855754692353823286478885059","151633818343694841750591657495653307518","112628295566100827065348454738811594068"]},"target":{"file":"ext/cgi/escape/escape.c"},"source":"https://github.com/ruby/ruby/commit/f69aeb83146be640995753667fdd6c6f157527f5","signature_type":"Line","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-41819-dfee3243","digest":{"function_hash":"185553476159107413192269642060714357735","length":658},"target":{"function":"optimized_escape_html","file":"ext/cgi/escape/escape.c"},"source":"https://github.com/ruby/ruby/commit/3fb7d2cadc18472ec107b14234933b017a33c14d","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41819.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}