CVE-2020-11021
Http request which redirect to another hostname do not strip authorization header in @actions/http-client
Description
### Impact If consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname The authorization header will get passed to the other domain. Note that since this library is for actions, the GITHUB_TOKEN that is available in actions is generated and scoped per job with [these permissions](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). ### Patches The problem is fixed in 1.0.8 at [npm here](https://www.npmjs.com/package/@actions/http-client). In 1.0.8, the authorization header is stripped before making the redirected request if the hostname is different. ### Workarounds None. ### References https://github.com/actions/http-client/pull/27 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/actions/http-client/issues
How to fix CVE-2020-11021
To remediate CVE-2020-11021, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.8 or later
Is CVE-2020-11021 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |