CVE-2020-11021
Last modified
CVE-2020-11021 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. EPSS estimates a 1.74% chance of exploitation in the next 30 days.
Description
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Http-Client Project | Http-Client | < 1.0.8 |
References
- https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53aPatch, Third Party Advisory
- https://github.com/actions/http-client/pull/27Patch, Third Party Advisory
- https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4Third Party Advisory
- https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53aPatch, Third Party Advisory
- https://github.com/actions/http-client/pull/27Patch, Third Party Advisory
- https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-11021?
How severe is CVE-2020-11021?
How do I fix CVE-2020-11021?
Are you affected by CVE-2020-11021?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST