1801286 – (CVE-2020-5216) CVE-2020-5216 rubygem-secure_headers: limited header injection when using dynamic overrides with user input

Bug 1801286 (CVE-2020-5216) - CVE-2020-5216 rubygem-secure_headers: limited header injection when using dynamic overrides with user input

Summary: CVE-2020-5216 rubygem-secure_headers: limited header injection when using dyn...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-5216
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1802536 1802537 1866306
Blocks:	1801287
TreeView+	depends on / blocked

Reported:	2020-02-10 15:00 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-12-14 18:47 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A directive injection vulnerability was found in Secure Headers RubyGem before versions 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into the vulnerable function, a new line could be injected, leading to limited header injection, which could create a new Content Security Policy header in the HTTP response.
Clone Of:
Environment:
Last Closed:	2020-10-27 14:21:24 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4366	0	None	None	None	2020-10-27 12:55:49 UTC

Description Guilherme de Almeida Suckevicz 2020-02-10 15:00:41 UTC

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.

Reference:
https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg

Upstream commit:
https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0

Comment 2 Yadnyawalk Tale 2020-02-12 15:40:41 UTC

External References:

https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg

Comment 4 Yadnyawalk Tale 2020-02-18 10:15:13 UTC

Statement:

Satellite 6 ships Secure Header rubygem, however, it does not accept any user input in override_content_security_policy_directive or append_content_security_policy_directive. All directives are hard-coded and therefor Satellite 6 is not vulnerable to this CVE. We may update this rubygem in future release.

Comment 7 errata-xmlrpc 2020-10-27 12:55:46 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366

Comment 8 Product Security DevOps Team 2020-10-27 14:21:24 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5216

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
bkearney
btotty
dmetzger
gblomqui
gmccullo
gtanzill
hhudgeon
jfrey
jhardy
kdixon
lzap
mmccune
obarenbo
rchan
rjerrido
roliveri
simaishi
smallamp
sokeeffe