{"id":"CVE-2021-41819","details":"CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.","aliases":["BIT-ruby-2021-41819","BIT-ruby-min-2021-41819","GHSA-4vf4-qmvg-mh7h"],"modified":"2026-04-16T04:38:38.917985522Z","published":"2022-01-01T06:15:07.293Z","related":["ALSA-2022:0543","ALSA-2022:5779","ALSA-2022:6447","ALSA-2022:6450","SUSE-SU-2022:3292-1","openSUSE-SU-2024:11657-1","openSUSE-SU-2024:11658-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15819-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-27"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220121-0003/"},{"type":"REPORT","url":"https://hackerone.com/reports/910552"},{"type":"EVIDENCE","url":"https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/cgi","events":[{"introduced":"0"},{"last_affected":"cf0564fe0e01f816c0602456333c82cc8bde8cf7"},{"introduced":"0"},{"last_affected":"8f0b2571916ed143328c1834793fe8305b891e1a"},{"introduced":"0"},{"last_affected":"95324433b41daf7f292ba84f15b355abb7105c40"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.1.0"},{"introduced":"0"},{"last_affected":"0.2.0"},{"introduced":"0"},{"last_affected":"0.3.0"}]}},{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"768423edc2634574d66f14f3c2d3602326bfb464"},{"introduced":"647ee6f091eafcce70ffb75ddf7e121e192ab217"},{"fixed":"f69aeb83146be640995753667fdd6c6f157527f5"},{"introduced":"95aff214687a5e12c3eb57d056665741e734c188"},{"fixed":"3fb7d2cadc18472ec107b14234933b017a33c14d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.6.8"},{"introduced":"2.7.0"},{"fixed":"2.7.5"},{"introduced":"3.0.0"},{"fixed":"3.0.3"}]}}],"versions":["v0.1.0","v0.2.0","v0.3.0","v1_0_r2","v2_6_8","v2_7_0","v2_7_1","v2_7_2","v2_7_3","v2_7_4","v3_0_0","v3_0_1","v3_0_2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0-sp1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.2"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]}],"vanir_signatures_modified":"2026-04-11T18:45:33Z","vanir_signatures":[{"signature_version":"v1","target":{"file":"ext/cgi/escape/escape.c"},"signature_type":"Line","id":"CVE-2021-41819-11445fd0","source":"https://github.com/ruby/ruby/commit/3fb7d2cadc18472ec107b14234933b017a33c14d","deprecated":false,"digest":{"line_hashes":["221608888545214764521643589590002473795","62837079863855754692353823286478885059","151633818343694841750591657495653307518","112628295566100827065348454738811594068"],"threshold":0.9}},{"digest":{"length":658,"function_hash":"185553476159107413192269642060714357735"},"target":{"file":"ext/cgi/escape/escape.c","function":"optimized_escape_html"},"signature_type":"Function","id":"CVE-2021-41819-2f76299c","source":"https://github.com/ruby/ruby/commit/f69aeb83146be640995753667fdd6c6f157527f5","deprecated":false,"signature_version":"v1"},{"deprecated":false,"target":{"file":"ext/cgi/escape/escape.c"},"digest":{"line_hashes":["221608888545214764521643589590002473795","62837079863855754692353823286478885059","151633818343694841750591657495653307518","112628295566100827065348454738811594068"],"threshold":0.9},"id":"CVE-2021-41819-799f160e","source":"https://github.com/ruby/ruby/commit/f69aeb83146be640995753667fdd6c6f157527f5","signature_version":"v1","signature_type":"Line"},{"digest":{"length":658,"function_hash":"185553476159107413192269642060714357735"},"target":{"file":"ext/cgi/escape/escape.c","function":"optimized_escape_html"},"signature_type":"Function","id":"CVE-2021-41819-dfee3243","source":"https://github.com/ruby/ruby/commit/3fb7d2cadc18472ec107b14234933b017a33c14d","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41819.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}