Lucene search

[email protected]CVE-2020-11021

HistoryApr 29, 2020 - 6:15 p.m.

CVE-2020-11021

2020-04-2918:15:13

CWE-200

[email protected]

web.nvd.nist.gov

cve-2020-11021

npm

actions/http-client

authorization header disclosure

security vulnerability

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.2%

JSON

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.

Affected configurations

Vulners

NVD

Node

actionshttp_clientRange<1.0.8

CPENameOperatorVersion
http-client_project:http-clienthttp-client project http-clientlt1.0.8

CPE	Name	Operator	Version
http-client_project:http-client	http-client project http-client	lt	1.0.8

CNA Affected

[
  {
    "product": "http-client",
    "vendor": "actions",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.0.8"
      }
    ]
  }
]