CVE-2020-11021 – @actions/http-client

Package

Manager: npm
Name: @actions/http-client
Vulnerable Version: >=0 <1.0.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00434 pctl0.61963

Details

Http request which redirect to another hostname do not strip authorization header in @actions/http-client ### Impact If consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname The authorization header will get passed to the other domain. Note that since this library is for actions, the GITHUB_TOKEN that is available in actions is generated and scoped per job with [these permissions](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). ### Patches The problem is fixed in 1.0.8 at [npm here](https://www.npmjs.com/package/@actions/http-client). In 1.0.8, the authorization header is stripped before making the redirected request if the hostname is different. ### Workarounds None. ### References https://github.com/actions/http-client/pull/27 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/actions/http-client/issues

Metadata

Created: 2020-04-29T17:58:53Z
Modified: 2021-08-25T21:03:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-9w6v-m7wp-jwg4/GHSA-9w6v-m7wp-jwg4.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-9w6v-m7wp-jwg4
Finding: F310
Auto approve: 1