CVE-2020-13956: Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as…

medium5.3CVSS 3.1

AVNACLPRNUINSUCNILAN

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	httpclient	< 4.5.13	4.5.13
apache	httpclient	>= 5.0.0 < 5.0.3	5.0.3
debian	httpcomponents-client	< httpcomponents-client 4.5.13-1 (bookworm)	httpcomponents-client 4.5.13-1 (bookworm)
oracle	commerce_guided_search	—	—
oracle	communications_cloud_native_core_service_communication_proxy	—	—
oracle	data_integrator	—	—
oracle	data_integrator	—	—
oracle	jd_edwards_enterpriseone_orchestrator	< 9.2.6.0	9.2.6.0
oracle	jd_edwards_enterpriseone_tools	< 9.2.6.0	9.2.6.0
oracle	nosql_database	< 20.3	20.3
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	peoplesoft_enterprise_pt_peopletools	—	—
oracle	peoplesoft_enterprise_pt_peopletools	—	—
oracle	peoplesoft_enterprise_pt_peopletools	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	17.7 – 17.12	—
oracle	retail_customer_management_and_segmentation_foundation	16.0 – 19.0	—
oracle	spatial_studio	< 20.1.1	20.1.1
oracle	sql_developer	< 20.4.1.407.0006	20.4.1.407.0006
oracle	sql_developer	< 21.99	21.99

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

ghsa5.3MEDIUM

osv5.3MEDIUM