CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
If user-supplied input was passed into append/override_content_security_policy_directives,
a semicolon could be injected leading to directive injection.
This could be used to e.g. override a script-src directive. Duplicate directives are ignored
and the first one wins. The directives in secure_headers are sorted alphabetically so they
pretty much all come before script-src. A previously undefined directive would receive a value
even if SecureHeaders::OPT_OUT was supplied.
The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
when this happens. This will result in innocuous browser console messages if being
exploited/accidentally used. In future releases, we will raise application errors resulting in
500s.
> Duplicate script-src directives detected. All but the first instance will be ignored.
See https://www.w3.org/TR/CSP3/#parse-serialized-policy
> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
> ignored. A console warning might be appropriate, for example.
If you are passing user input into the above methods, you could filter out the input:
override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | secure_headers | * | cpe:2.3:a:ruby:secure_headers:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N