CVE-2020-5216: Injection Vulnerability

January 23, 2020 (updated February 18, 2020)

If user-supplied input is passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

References

nvd.nist.gov/vuln/detail/CVE-2020-5216

Detect and mitigate CVE-2020-5216 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →