CVE-2020-13956

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 02-12-2020 06:15

Last modified: - 12-05-2022 04:47

Total changes: - 33

Description

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

None

Confidentiality

Low

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

5.3

Base score

3.9

1.4

Exploitability score

Impact score

Verification logic

vendor=apache AND product=httpclient AND versionStartIncluding=5.0.0 AND versionEndExcluding=5.0.3

vendor=apache AND product=httpclient AND versionEndExcluding=4.5.13

vendor=quarkus AND product=quarkus AND versionEndExcluding=1.7.6

vendor=oracle AND product=primavera_unifier AND version=16.2

vendor=oracle AND product=primavera_unifier AND version=16.1

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.57

vendor=oracle AND product=primavera_unifier AND version=18.8

vendor=oracle AND product=data_integrator AND version=12.2.1.3.0

vendor=oracle AND product=primavera_unifier AND versionEndIncluding=17.12 AND versionStartIncluding=17.7

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.58

vendor=oracle AND product=primavera_unifier AND version=19.12

vendor=oracle AND product=data_integrator AND version=12.2.1.4.0

vendor=oracle AND product=primavera_unifier AND version=20.12

vendor=oracle AND product=jd_edwards_enterpriseone_orchestrator AND versionEndExcluding=9.2.6.0

vendor=oracle AND product=jd_edwards_enterpriseone_tools AND versionEndExcluding=9.2.6.0

vendor=oracle AND product=nosql_database AND versionEndExcluding=20.3

vendor=oracle AND product=peoplesoft_enterprise_pt_peopletools AND version=8.57

vendor=oracle AND product=peoplesoft_enterprise_pt_peopletools AND version=8.58

vendor=oracle AND product=peoplesoft_enterprise_pt_peopletools AND version=8.59

vendor=oracle AND product=retail_customer_management_and_segmentation_foundation AND versionEndIncluding=19.0 AND versionStartIncluding=16.0

vendor=oracle AND product=spatial_studio AND versionEndExcluding=20.1.1

vendor=oracle AND product=sql_developer AND versionEndExcluding=20.4.1.407.0006

vendor=netapp AND product=snapcenter AND version=-

vendor=netapp AND product=active_iq_unified_manager AND version=- AND target_software=vmware_vsphere

vendor=netapp AND product=active_iq_unified_manager AND version=- AND target_software=linux

vendor=netapp AND product=active_iq_unified_manager AND version=- AND target_software=windows

vendor=oracle AND product=weblogic_server AND version=12.2.1.4.0

vendor=oracle AND product=weblogic_server AND version=14.1.1.0.0

vendor=oracle AND product=commerce_guided_search AND version=11.3.2

vendor=oracle AND product=communications_cloud_native_core_service_communication_proxy AND version=1.14.0

vendor=oracle AND product=sql_developer AND versionEndExcluding=21.99

Reference

https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E
[ranger-dev] 20201204 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[ranger-dev] 20201204 [jira] [Assigned] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[ranger-dev] 20201215 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[ranger-dev] 20201215 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list-Mailing List, Vendor Advisory
[ranger-dev] 20201216 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-solr-user] 20201229 Upgrade httpclient version due to CVE-2020-13956?-Mailing List, Vendor Advisory
[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/-Mailing List, Vendor Advisory
[hive-gitbox] 20210301 [GitHub] [hive] hsnusonic opened a new pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[hive-issues] 20210301 [jira] [Updated] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[hive-issues] 20210301 [jira] [Assigned] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[hive-dev] 20210301 [jira] [Created] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20210316 [jira] [Created] (SOLR-15270) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20210316 [jira] [Resolved] (SOLR-15270) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20210316 [jira] [Created] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[maven-issues] 20210530 [jira] [Updated] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956-Mailing List, Vendor Advisory
[maven-issues] 20210530 [jira] [Closed] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956-Mailing List, Vendor Advisory
[maven-issues] 20210530 [jira] [Resolved] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956-Mailing List, Vendor Advisory
[drill-issues] 20210604 [jira] [Commented] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-issues] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-commits] 20210604 [drill] branch master updated: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956 (#2250)-Mailing List, Vendor Advisory
[drill-issues] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[drill-dev] 20210604 [GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956-Mailing List, Vendor Advisory
[creadur-commits] 20210608 [jira] [Assigned] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956-Mailing List, Vendor Advisory
[creadur-commits] 20210608 [jira] [Resolved] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956-Mailing List, Vendor Advisory
[creadur-commits] 20210608 [jira] [Commented] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956-Mailing List, Patch, Vendor Advisory
[creadur-commits] 20210608 [jira] [Work started] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956-Mailing List, Vendor Advisory
[creadur-commits] 20210608 [jira] [Created] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
[maven-issues] 20210621 [jira] [Assigned] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956-Mailing List, Vendor Advisory
[creadur-dev] 20210621 [jira] [Updated] (RAT-275) Update httpclient to fix CVE-2020-13956 once a new doxia-core release is available-Mailing List, Vendor Advisory
[solr-issues] 20210623 [jira] [Updated] (SOLR-15270) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20210623 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke commented on pull request #310: OAK-9482: upgrade httpclient to 4.5.13-Mailing List, Vendor Advisory
[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke removed a comment on pull request #310: OAK-9482: upgrade httpclient to 4.5.13-Mailing List, Vendor Advisory
N/A-Patch, Third Party Advisory
[solr-issues] 20210912 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[bookkeeper-issues] 20210914 [GitHub] [bookkeeper] nicoloboschi opened a new pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956-Mailing List, Vendor Advisory
[bookkeeper-issues] 20210917 [GitHub] [bookkeeper] nicoloboschi commented on pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20210921 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20211007 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 closed pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20211011 [jira] [Commented] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[lucene-issues] 20211011 [GitHub] [lucene-solr] madrob merged pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20211011 [jira] [Resolved] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
[solr-issues] 20211019 [jira] [Closed] (SOLR-15269) upgrade httpclient to address CVE-2020-13956-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
[ranger-dev] 20211028 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
https://security.netapp.com/advisory/ntap-20220210-0002/
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2020-13956

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-13956

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures