Vulnerability Description
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Http-Client Project | Http-Client | < 1.0.8 |
Related Weaknesses (CWE)
References
- https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f7PatchThird Party Advisory
- https://github.com/actions/http-client/pull/27PatchThird Party Advisory
- https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4Third Party Advisory
- https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f7PatchThird Party Advisory
- https://github.com/actions/http-client/pull/27PatchThird Party Advisory
- https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4Third Party Advisory
FAQ
What is CVE-2020-11021?
CVE-2020-11021 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if co...
How severe is CVE-2020-11021?
CVE-2020-11021 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11021?
Check the references section above for vendor advisories and patch information. Affected products include: Http-Client Project Http-Client.