Description Hans de Graaff 2021-11-25 07:42:34 UTC

CVE-2021-41816: Buffer Overrun in CGI.escape_html

A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby.
Details

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3.

This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable.
Affected versions

    cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
    cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
    cgi gem 0.3.0 or prior



CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods

We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817.
Details

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.

Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. Alternatively, you can update Ruby to 3.0.3, 2.7.5, 2.6.9 or later.
Affected versions

    date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6 series prior to Ruby 2.6.9)
    date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
    date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
    date gem 3.2.0 or prior



CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby.
Details

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

This is the same issue of CVE-2020-8184.

If you are using Ruby 2.7 or 3.0:

    Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile.
    Alternatively, please update Ruby to 2.7.5 or 3.0.3.

If you are using Ruby 2.6:

    Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 2.6 or prior.