GitHub Advisory DatabaseGHSA-9W6V-M7WP-JWG4Http request which redirect to another hostname do not strip authorization header in @actions/http-client
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
52.2%
Impact
If consumers of the http-client:
- make an http request with an authorization header
- that request leads to a redirect (302) and
- the redirect url redirects to another domain or hostname
The authorization header will get passed to the other domain.
Note that since this library is for actions, the GITHUB_TOKEN that is available in actions is generated and scoped per job with these permissions.
Patches
The problem is fixed in 1.0.8 at npm here. In 1.0.8, the authorization header is stripped before making the redirected request if the hostname is different.
Workarounds
None.
References
https://github.com/actions/http-client/pull/27
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/actions/http-client/issues
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| @actions/http-client | lt | 1.0.8 |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
52.2%