GHSA-4vf4-qmvg-mh7h

Source

https://github.com/advisories/GHSA-4vf4-qmvg-mh7h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-4vf4-qmvg-mh7h/GHSA-4vf4-qmvg-mh7h.json

Aliases

Published

2022-01-21T23:22:17Z

Modified

2024-02-21T05:19:34.866265Z

Summary

Cookie Prefix Spoofing in CGI::Cookie.parse

Details

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem prior to versions 0.3.1, 0.2.1, 0.1.1, and 0.1.0.1 for Ruby.

References

Affected packages

RubyGems / cgi

Package

Name: cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.3.0

Fixed

0.3.1

Affected versions

0.*

0.3.0

RubyGems / cgi

Package

Name: cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.2.1

Affected versions

0.*

0.2.0

RubyGems / cgi

Package

Name: cgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.1.0.1

Affected versions

0.*

0.1.0