{"api_version":"1","generated_at":"2026-04-22T21:27:12+00:00","cve":"CVE-2021-33621","urls":{"html":"https://cve.report/CVE-2021-33621","api":"https://cve.report/api/cve/CVE-2021-33621.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-33621","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-33621"},"summary":{"title":"CVE-2021-33621","description":"The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-11-18 23:15:00","updated_at":"2024-01-24 05:15:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/","name":"FEDORA-2022-b9b710f199","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: ruby-3.0.5-155.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/","name":"FEDORA-2022-ef96a58bbe","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: ruby-3.1.3-172.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/","name":"FEDORA-2022-f0f6c6bec2","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: ruby-3.1.3-172.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/","name":"FEDORA-2022-f0f6c6bec2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: ruby-3.1.3-172.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/1204695","name":"https://hackerone.com/reports/1204695","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/","name":"FEDORA-2022-b9b710f199","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: ruby-3.0.5-155.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202401-27","name":"GLSA-202401-27","refsource":"","tags":[],"title":"Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/","name":"https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-33621: HTTP response splitting in CGI","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/","name":"FEDORA-2022-ef96a58bbe","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: ruby-3.1.3-172.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html","name":"[debian-lts-announce] 20230609 [SECURITY] [DLA 3450-1] ruby2.5 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3450-1] ruby2.5 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20221228-0004/","name":"https://security.netapp.com/advisory/ntap-20221228-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-33621 Ruby Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-33621","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33621","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"33621","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33621","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33621","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33621","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"cgi","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33621","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-33621","qid":"160771","title":"Oracle Enterprise Linux Security Update for ruby:2.7 (ELSA-2023-3821)"},{"cve":"CVE-2021-33621","qid":"161185","title":"Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2023-7025)"},{"cve":"CVE-2021-33621","qid":"161427","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1431)"},{"cve":"CVE-2021-33621","qid":"161454","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1576)"},{"cve":"CVE-2021-33621","qid":"181836","title":"Debian Security Update for ruby2.5 (DLA 3450-1)"},{"cve":"CVE-2021-33621","qid":"183181","title":"Debian Security Update for ruby3.1 (CVE-2021-33621)"},{"cve":"CVE-2021-33621","qid":"199124","title":"Ubuntu Security Notification for Ruby Vulnerability (USN-5806-2)"},{"cve":"CVE-2021-33621","qid":"199248","title":"Ubuntu Security Notification for Ruby Vulnerability (USN-5806-3)"},{"cve":"CVE-2021-33621","qid":"199434","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6181-1)"},{"cve":"CVE-2021-33621","qid":"199530","title":"Ubuntu Security Notification for Ruby Vulnerability (USN-5806-1)"},{"cve":"CVE-2021-33621","qid":"241557","title":"Red Hat Update for rh-ruby27-ruby security (RHSA-2023:3291)"},{"cve":"CVE-2021-33621","qid":"241760","title":"Red Hat Update for ruby:2.7 security (RHSA-2023:3821)"},{"cve":"CVE-2021-33621","qid":"242449","title":"Red Hat Update for ruby:2.5 (RHSA-2023:7025)"},{"cve":"CVE-2021-33621","qid":"243097","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1431)"},{"cve":"CVE-2021-33621","qid":"243151","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1576)"},{"cve":"CVE-2021-33621","qid":"283395","title":"Fedora Security Update for ruby (FEDORA-2022-ef96a58bbe)"},{"cve":"CVE-2021-33621","qid":"283396","title":"Fedora Security Update for ruby (FEDORA-2022-f0f6c6bec2)"},{"cve":"CVE-2021-33621","qid":"283496","title":"Fedora Security Update for ruby (FEDORA-2022-b9b710f199)"},{"cve":"CVE-2021-33621","qid":"296100","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 58.144.3 Missing (CPUAPR2023)"},{"cve":"CVE-2021-33621","qid":"354697","title":"Amazon Linux Security Advisory for ruby3.1 : ALAS2022-2023-262"},{"cve":"CVE-2021-33621","qid":"356247","title":"Amazon Linux Security Advisory for ruby : ALASRUBY3.0-2023-004"},{"cve":"CVE-2021-33621","qid":"356289","title":"Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-003"},{"cve":"CVE-2021-33621","qid":"356493","title":"Amazon Linux Security Advisory for ruby : ALAS2RUBY2.6-2023-003"},{"cve":"CVE-2021-33621","qid":"357337","title":"Amazon Linux Security Advisory for ruby : ALAS2-2024-2503"},{"cve":"CVE-2021-33621","qid":"378703","title":"Alibaba Cloud Linux Security Update for ruby:2.7 (ALINUX3-SA-2023:0080)"},{"cve":"CVE-2021-33621","qid":"502603","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2021-33621","qid":"502633","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2021-33621","qid":"502634","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2021-33621","qid":"504379","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2021-33621","qid":"672730","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1483)"},{"cve":"CVE-2021-33621","qid":"672733","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1458)"},{"cve":"CVE-2021-33621","qid":"672798","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1540)"},{"cve":"CVE-2021-33621","qid":"672831","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1565)"},{"cve":"CVE-2021-33621","qid":"672875","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1609)"},{"cve":"CVE-2021-33621","qid":"672906","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1790)"},{"cve":"CVE-2021-33621","qid":"672925","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-1768)"},{"cve":"CVE-2021-33621","qid":"690997","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for rubygem (84ab03b6-6c20-11ed-b519-080027f5fec9)"},{"cve":"CVE-2021-33621","qid":"710844","title":"Gentoo Linux Ruby Multiple Vulnerabilities (GLSA 202401-27)"},{"cve":"CVE-2021-33621","qid":"755145","title":"SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2023:4176-1)"},{"cve":"CVE-2021-33621","qid":"941165","title":"AlmaLinux Security Update for ruby:2.7 (ALSA-2023:3821)"},{"cve":"CVE-2021-33621","qid":"941437","title":"AlmaLinux Security Update for ruby:2.5 (ALSA-2023:7025)"},{"cve":"CVE-2021-33621","qid":"941625","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1431)"},{"cve":"CVE-2021-33621","qid":"941633","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1576)"},{"cve":"CVE-2021-33621","qid":"961138","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1431)"},{"cve":"CVE-2021-33621","qid":"961149","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1576)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-33621","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/","url":"https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/"},{"refsource":"FEDORA","name":"FEDORA-2022-ef96a58bbe","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/"},{"refsource":"FEDORA","name":"FEDORA-2022-f0f6c6bec2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/"},{"refsource":"FEDORA","name":"FEDORA-2022-b9b710f199","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20221228-0004/","url":"https://security.netapp.com/advisory/ntap-20221228-0004/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230609 [SECURITY] [DLA 3450-1] ruby2.5 security update","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html"}]}},"nvd":{"publishedDate":"2022-11-18 23:15:00","lastModifiedDate":"2024-01-24 05:15:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*","versionStartIncluding":"0.2.0","versionEndExcluding":"0.2.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*","versionEndExcluding":"0.1.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*","versionStartIncluding":"0.3.0","versionEndExcluding":"0.3.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndExcluding":"3.1.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"2.7.0","versionEndExcluding":"2.7.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"33621","Ordinal":"209032","Title":"CVE-2021-33621","CVE":"CVE-2021-33621","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"33621","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}