HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client
CVE-2020-11021

6.3MEDIUM

Key Information:

Vendor

Actions

Status
Http-client
Vendor
CVE Published:
29 April 2020

What is CVE-2020-11021?

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.

Affected Version(s)

http-client < 1.0.8

References

https://github.com/actions/http-client/security/advisorie...
x_refsource_CONFIRM
https://github.com/actions/http-client/pull/27
x_refsource_MISC
https://github.com/actions/http-client/commit/f6aae3dda4f...
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.