CVE-2020-5216
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
EPSS 1.1%
描述
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.
如何修補 CVE-2020-5216
OSV 沒有提供套件對應 — 請參考下方連結尋找廠商提供的建議。
CVE-2020-5216 正在被利用嗎?
低 — EPSS 為 1.1%,目前沒有觀察到大規模利用活動。
受影響套件(0)
OSV 沒有提供套件對應。