In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0. Reference: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg Upstream commit: https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
External References: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
Statement: Satellite 6 ships Secure Header rubygem, however, it does not accept any user input in override_content_security_policy_directive or append_content_security_policy_directive. All directives are hard-coded and therefor Satellite 6 is not vulnerable to this CVE. We may update this rubygem in future release.
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5216