CVE-2020-11021 - OpenCVE

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Http-client Project	Http-client

Configuration 1 [-]

cpe:2.3:a:http-client_project:http-client:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a
https://github.com/actions/http-client/pull/27
https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-04-29T18:00:20

Updated: 2024-08-04T11:21:14.534Z

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11021

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-29T18:15:13.423

Modified: 2021-09-14T14:02:07.937

Link: CVE-2020-11021

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "http-client", "vendor": "actions", "versions": [{"status": "affected", "version": "< 1.0.8"}]}], "descriptions": [{"lang": "en", "value": "Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-29T18:00:20", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/actions/http-client/pull/27"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a"}], "source": {"advisory": "GHSA-9w6v-m7wp-jwg4", "discovery": "UNKNOWN"}, "title": "HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11021", "STATE": "PUBLIC", "TITLE": "HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "http-client", "version": {"version_data": [{"version_value": "< 1.0.8"}]}}]}, "vendor_name": "actions"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4", "refsource": "CONFIRM", "url": "https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4"}, {"name": "https://github.com/actions/http-client/pull/27", "refsource": "MISC", "url": "https://github.com/actions/http-client/pull/27"}, {"name": "https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a", "refsource": "MISC", "url": "https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a"}]}, "source": {"advisory": "GHSA-9w6v-m7wp-jwg4", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.534Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/actions/http-client/pull/27"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11021", "datePublished": "2020-04-29T18:00:20", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.534Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:http-client_project:http-client:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D06CAAAD-54B3-490E-8931-FA3ACB500A11", "versionEndExcluding": "1.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8."}, {"lang": "es", "value": "Actions Http-Client (NPM @actions/http-client) versiones anteriores a 1.0.8, puede revelar los encabezados de Autorizaci\u00f3n en dominios incorrectos en determinados escenarios de redireccionamiento. Las condiciones en las que esto ocurre son si los consumidores del http-client: 1. hacen una petici\u00f3n http con un encabezado de autorizaci\u00f3n 2. esa petici\u00f3n conduce a un redireccionamiento (302) y 3. la URL de redireccionamiento redirecciona a otro dominio o nombre de host. Entonces el encabezado de autorizaci\u00f3n se pasar\u00e1 al otro dominio. El problema se corrigi\u00f3 en la versi\u00f3n 1.0.8."}], "id": "CVE-2020-11021", "lastModified": "2021-09-14T14:02:07.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-04-29T18:15:13.423", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/actions/http-client/pull/27"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}