Advisories ยป MGASA-2022-0454

Updated ruby packages fix security vulnerability

Publication date: 13 Dec 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-33621


If an application that generates HTTP responses using the cgi gem with
untrusted user input, an attacker can exploit it to inject a malicious
HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If
an application creates a CGI::Cookie object based on user input, an
attacker may exploit it to inject invalid attributes in Set-Cookie header.
Such applications are unlikely, but a change is included to check
arguments for CGI::Cookie#initialize preventatively.