CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11021 – HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client
https://notcve.org/view.php?id=CVE-2020-11021
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8. Actions Http-Client (NPM @actions/http-client) versiones anteriores a 1.0.8, puede revelar los encabezados de Autorización en dominios incorrectos en determinados escenarios de redireccionamiento. Las condiciones en las que esto ocurre son si los consumidores del http-client: 1. hacen una petición http con un encabezado de autorización 2. esa petición conduce a un redireccionamiento (302) y 3. la URL de redireccionamiento redirecciona a otro dominio o nombre de host. • https://github.com/ossf-cve-benchmark/CVE-2020-11021 https://github.com/actions/http-client/commit/f6aae3dda4f4c9dc0b49737b36007330f78fd53a https://github.com/actions/http-client/pull/27 https://github.com/actions/http-client/security/advisories/GHSA-9w6v-m7wp-jwg4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7398 – async-http-client: missing hostname verification for SSL certificates
https://notcve.org/view.php?id=CVE-2013-7398
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. main/java/com/ning/http/client/AsyncHttpClientConfig.java en Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 no requiere una coincidencia de nombre de anfitrión durante la verificación de los certificados X.509, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS a través de un certificado válido arbitrario. It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. • http://openwall.com/lists/oss-security/2014/08/26/1 http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1551.html http://www.securityfocus.com/bid/69317 https://github.com/AsyncHttpClient/async-http-client/issues/197 https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E https://l • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7397 – async-http-client: SSL/TLS certificate verification is disabled under certain conditions
https://notcve.org/view.php?id=CVE-2013-7397
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 salta la verificación los certificados X.509 a no ser que tanto una localización keyStore y una localización trustStore estén configuradas explícitamente, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS mediante la presentación de un certificado arbitrario durante el uso de una configuración AHC típica, tal y como fue demostrado por una configuración que no envía certificados de cliente. It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate. • http://openwall.com/lists/oss-security/2014/08/26/1 http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1551.html http://www.securityfocus.com/bid/69316 https://github.com/AsyncHttpClient/async-http-client/issues/352 https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E https://l • CWE-295: Improper Certificate Validation CWE-345: Insufficient Verification of Data Authenticity •