CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Published: Dec 2, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-13956
GHSA: GHSA-7r82-7xv7-xcpj
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apache / httpclient	5.0.0	5.0.3
apache / httpclient	-	4.5.13
quarkus / quarkus	-	1.7.6
oracle / primavera_unifier	16.2	16.2.x
oracle / primavera_unifier	16.1	16.1.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / primavera_unifier	18.8	18.8.x
oracle / data_integrator	12.2.1.3.0	12.2.1.3.0.x
oracle / primavera_unifier	17.7	17.12.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / primavera_unifier	19.12	19.12.x
oracle / data_integrator	12.2.1.4.0	12.2.1.4.0.x
oracle / primavera_unifier	20.12	20.12.x
oracle / peoplesoft_enterprise_pt_peopletools	8.57	8.57.x
oracle / nosql_database	-	20.3
oracle / peoplesoft_enterprise_pt_peopletools	8.59	8.59.x
oracle / peoplesoft_enterprise_pt_peopletools	8.58	8.58.x
oracle / retail_customer_management_and_segmentation_foundation	16.0	19.0.x
oracle / sql_developer	-	20.4.1.407.0006
oracle / spatial_studio	-	20.1.1
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.0
oracle / jd_edwards_enterpriseone_orchestrator	-	9.2.6.0
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
oracle / commerce_guided_search	11.3.2	11.3.2.x
oracle / communications_cloud_native_core_service_communication_proxy	1.14.0	1.14.0.x
oracle / sql_developer	-	21.99
org.apache.httpcomponents / httpclient	-	4.5.13
org.apache.httpcomponents / httpclient	5.0.0	5.0.3

Vulnerability Database

289,599

CVE-2020-13956