← Back to CVE List

CVE-2020-5216

Published: 2020-01-23T03:15Z
Last Modified: 2024-11-21T05:33Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt