Advisories for Gem/Cgi package

2022

Interpretation Conflict

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Integer Overflow or Wraparound

CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes.

2021

Duplicate of ./gem/cgi/CVE-2021-41816.yml

A security vulnerability that causes buffer overflow when you pass a very large string ( MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows. Please update the cgi gem to,1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", " " to your Gemfile. Alternatively, please update Ruby to This issue has been introduced …