CVE-2021-41816

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.7.5 Ruby versions 3.x prior to 3.0.3 CGI gem versions prior to 0.3.1

Description The issue is caused by an integer overflow and resultant buffer overflow in the CGI.escape html function when a long string is passed to it on platforms where size t and long have different numbers of bytes, such as Windows. This can lead to a buffer overrun when a user passes a very large string to CGI.escape html. The exploitation of this issue may allow a remote attacker to execute arbitrary code in the target system.

Recommendations For Ruby versions prior to 2.7.5, update to version 2.7.5 or later. For Ruby versions 3.x prior to 3.0.3, update to version 3.0.3 or later. For CGI gem versions prior to 0.3.1, update to version 0.3.1 or later. As a temporary workaround, consider restricting the input size to CGI.escape html to prevent buffer overflows until a patch is applied.