CVE-2020-5217

Name of the Vulnerable Software and Affected Versions Secure Headers versions prior to 3.8.0 Secure Headers versions prior to 5.1.0 Secure Headers versions prior to 6.2.0

Description A directive injection vulnerability is present in Secure Headers. If user-supplied input was passed into append/override content security policy directives, a semicolon could be injected leading to directive injection. This could be used to override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens, resulting in innocuous browser console messages if being exploited or accidentally used.

Recommendations For versions prior to 3.8.0, update to version 3.8.0 or later. For versions prior to 5.1.0, update to version 5.1.0 or later. For versions prior to 6.2.0, update to version 6.2.0 or later. As a temporary workaround, consider filtering out user input by replacing semicolons with spaces, for example, using user input.gsub(";", " ") when calling override content security policy directives.