CVE-2021-33621

ADVISORY - github

Summary

Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

EPSS Score⁠: 0.01706 (0.817)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-74⁠

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADVISORY - github

CWE-436⁠

Interpretation Conflict

CWE-74⁠

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-74⁠

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-113⁠

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.