CVE-2020-11021 MEDIUM

CVE-2020-11021: HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client

Vendor Actions
Product http-client
Weakness CWE-200 · Info exposure
Published April 29, 2020
Last update August 4, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.

Key dates

02Disclosure timeline

April 29, 2020 CVE published
August 4, 2024 Record updated