UBUNTU-CVE-2020-5217
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2020-5217
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-5217.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-5217
- Related
- Published
- 2020-01-23T03:15:00Z
- Modified
- 2024-10-15T14:07:54Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Secure Headers (RubyGem secureheaders), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secureheaders are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.
- References
-
- https://ubuntu.com/security/CVE-2020-5217
- https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
- https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
- https://github.com/twitter/secure_headers/issues/418
- https://github.com/twitter/secure_headers/pull/421
- https://www.cve.org/CVERecord?id=CVE-2020-5217
Affected packages
Ubuntu:Pro:18.04:LTS / ruby-secure-headers
Package
- Name
- ruby-secure-headers
- Purl
- pkg:deb/ubuntu/ruby-secure-headers?arch=src?distro=esm-apps/bionic