Http Client
Approved changes feed: RSS · Atom
cpe:2.3:a:actions:http-client:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Actions (5f883861-2acd-5804-86da-e818e3954297) |
|---|---|
| Product | Http Client (ddcefa4b-3fde-5846-8a4e-330a4ed78007) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2020-11021 |
vulnerable | 2026-06-03 14:41:00.886983 |
HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client
MEDIUM (6.3)
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.
Published: 2020-04-29T18:00:20.000Z
Updated: 2024-08-04T11:21:14.534Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.