CVE-2020-5217

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.

CVSS v3 4.4 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3	Patch
https://github.com/twitter/secure_headers/issues/418	Exploit Third Party Advisory
https://github.com/twitter/secure_headers/pull/421	Third Party Advisory
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c	Mitigation Third Party Advisory
https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3	Patch
https://github.com/twitter/secure_headers/issues/418	Exploit Third Party Advisory
https://github.com/twitter/secure_headers/pull/421	Third Party Advisory
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:twitter:secure_headers::::::ruby::*
	cpe:2.3:a:twitter:secure_headers::::::ruby::*
	cpe:2.3:a:twitter:secure_headers::::::ruby::*

History

21 Nov 2024, 05:33

Type	Values Removed	Values Added
CVSS	v2 : ~~5.0~~ v3 : ~~5.8~~	v2 : 5.0 v3 : 4.4
References	~~() https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3 - Patch~~	() https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3 - Patch
References	~~() https://github.com/twitter/secure_headers/issues/418 - Exploit, Third Party Advisory~~	() https://github.com/twitter/secure_headers/issues/418 - Exploit, Third Party Advisory
References	~~() https://github.com/twitter/secure_headers/pull/421 - Third Party Advisory~~	() https://github.com/twitter/secure_headers/pull/421 - Third Party Advisory
References	~~() https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c - Mitigation, Third Party Advisory~~	() https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c - Mitigation, Third Party Advisory

Information

Published : 2020-01-23 03:15

Updated : 2024-11-21 05:33

NVD link : CVE-2020-5217

Mitre link : CVE-2020-5217

CVE.ORG link : CVE-2020-5217

JSON object : View

Products Affected

twitter

secure_headers

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

4.4 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-5217

4.4^/10

5.0^/10

Attach tags to `CVE-2020-5217`