Critical severityNVD Advisory· Published Feb 6, 2022· Updated Aug 4, 2024
CVE-2021-41816
CVE-2021-41816
Description
CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cgiRubyGems | >= 0.3.0, < 0.3.1 | 0.3.1 |
cgiRubyGems | >= 0.2.0, < 0.2.1 | 0.2.1 |
cgiRubyGems | < 0.1.0.1 | 0.1.0.1 |
Affected products
15- Ruby/CGI.escape_htmldescription
- osv-coords14 versionspkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:gem/cgipkg:rpm/opensuse/ruby2.7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweed
< 0+ 13 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 0.3.0, < 0.3.1
- (no CPE)range: < 2.7.5-1.1
- (no CPE)range: < 3.0.3-1.1
- (no CPE)range: < 3.1.0-1.1
- (no CPE)range: < 3.2.1-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-5cqm-crxm-6qpvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-41816ghsaADVISORY
- security.gentoo.org/glsa/202401-27ghsavendor-advisoryWEB
- github.com/ruby/cgi/commit/959ccf0b6a672bcc64aeaa60c6e1f9e728f1e87fghsaWEB
- github.com/ruby/cgi/commit/ad079c1cb5f58eba1ffac46da79995fcf94a3a6eghsaWEB
- github.com/ruby/cgi/commit/c6a37a671b556eb06140ea89cc465136b24207a6ghsaWEB
- github.com/ruby/cgi/commit/c728632c1c09d46cfd4ecbff9caaa3651dd1002aghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-41816.ymlghsaWEB
- groups.google.com/g/ruby-security-ann/c/4MQ568ZG47cghsaWEB
- hackerone.com/reports/1328463ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZFghsaWEB
- security-tracker.debian.org/tracker/CVE-2021-41816ghsaWEB
- security.netapp.com/advisory/ntap-20220303-0006ghsaWEB
- www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816ghsaWEB
- security.netapp.com/advisory/ntap-20220303-0006/mitre
- www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/mitre
News mentions
0No linked articles in our index yet.