CVE-2020-11021

Name of the Vulnerable Software and Affected Versions @actions/http-client versions prior to 1.0.8

Description The issue can disclose Authorization headers to incorrect domains in certain redirect scenarios. This occurs when consumers of the http-client make an HTTP request with an authorization header, the request leads to a redirect (302), and the redirect URL redirects to another domain or hostname. As a result, the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.

Recommendations For versions prior to 1.0.8, update to version 1.0.8, where the authorization header is stripped before making the redirected request if the hostname is different.