CVE-2020-11021
Http request which redirect to another hostname do not strip authorization header in @actions/http-client
描述
### Impact If consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname The authorization header will get passed to the other domain. Note that since this library is for actions, the GITHUB_TOKEN that is available in actions is generated and scoped per job with [these permissions](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). ### Patches The problem is fixed in 1.0.8 at [npm here](https://www.npmjs.com/package/@actions/http-client). In 1.0.8, the authorization header is stripped before making the redirected request if the hostname is different. ### Workarounds None. ### References https://github.com/actions/http-client/pull/27 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/actions/http-client/issues
如何修補 CVE-2020-11021
要修補 CVE-2020-11021,請將受影響套件升級到下列已修補版本。
- —升級至 1.0.8 或更新版本
CVE-2020-11021 正在被利用嗎?
低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.0.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |