CVE-2021-33621: RubyGems cgi gem HTTP response splitting

The maintainers of the RubyGems package manager have addressed a high-risk security vulnerability in the CGI class that could have been abused to launch HTTP response-splitting attacks. Security researcher Hiroshi Tokumaru has been credited for discovering this issue.

“If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body,” RubyGems said in a security advisory published on November 22, 2022.

CGI is a large class, providing several categories of methods, many of which are mixed in from other modules. For queries, CGI provides methods to get at environmental variables, parameters, cookies, and multipart request data. For responses, CGI provides methods for writing output and generating HTML.

The flaw tracked as CVE-2021-33621 (CVSS score: 8.8), allows a remote authenticated attacker to inject an arbitrary HTTP/1.1 response header in some form and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.

CVE-2021-33621 is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. The issue was addressed by the project maintainers in versions 0.3.5, 0.2.2, and 0.1.0.2 released on November 24, 2022. You can use gem update cgi to update it. If you are using bundler, please add gem “cgi”, “>= 0.3.5” to your Gemfile.