CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
EPSS
Percentile
50.8%
In Secure Headers (RubyGem secure_headers), a directive injection
vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If
user-supplied input was passed into
append/override_content_security_policy_directives, a semicolon could be
injected leading to directive injection. This could be used to e.g.
override a script-src directive. Duplicate directives are ignored and the
first one wins. The directives in secure_headers are sorted alphabetically
so they pretty much all come before script-src. A previously undefined
directive would receive a value even if SecureHeaders::OPT_OUT was
supplied. The fixed versions will silently convert the semicolons to spaces
and emit a deprecation warning when this happens. This will result in
innocuous browser console messages if being exploited/accidentally used. In
future releases, we will raise application errors resulting in 500s.
Depending on what major version you are using, the fixed versions are
6.2.0, 5.1.0, 3.8.0.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ruby-secure-headers | < any | UNKNOWN |
ubuntu | 20.04 | noarch | ruby-secure-headers | < any | UNKNOWN |
github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
github.com/twitter/secure_headers/issues/418
github.com/twitter/secure_headers/pull/421
github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
launchpad.net/bugs/cve/CVE-2020-5217
nvd.nist.gov/vuln/detail/CVE-2020-5217
security-tracker.debian.org/tracker/CVE-2020-5217
www.cve.org/CVERecord?id=CVE-2020-5217
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
EPSS
Percentile
50.8%