CVE-2020-13956

CWE-79Cross-site Scripting (XSS)CWE-20Improper Input Validation21 documents9 sources
Severity
5.3MEDIUM
EPSS
0.5%
top 33.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
Apache HttpclientOracle JD Edwards Enterpriseone OrchestratorOracle JD Edwards Enterpriseone Tools+12 more
Timeline
PublishedDec 2
Latest updateOct 15

Description

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages18 packages

Mavenorg.apache.httpcomponents:httpclient5.0.05.0.3+1
NVDapache/httpclient5.0.05.0.3+1
CVEListV5apache_httpclient4.5.12 and prior, 5.0.2 and prior
Debianhttpcomponents-client< 4.5.13-1+3
NVDquarkus/quarkus< 1.7.6

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Cross-site scripting in Apache HttpClient2021-06-03
GHSA
Cross-site scripting in Apache HttpClient2021-06-03
OSV
CVE-2020-13956: Apache HttpClient versions prior to version 42020-12-02
CVEList
CVE-2020-13956: Apache HttpClient versions prior to version 42020-12-02

📋Vendor Advisories

15
Oracle
Oracle Oracle Essbase Risk Matrix: Security and Provisioning (Apache HttpClient) — CVE-2020-139562025-10-15
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache HttpClient) — CVE-2020-139562025-01-15
Oracle
Oracle Oracle Commerce Risk Matrix: Endeca Integration (Apache HttpClient) — CVE-2020-139562024-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Platform (Apache HttpClient) — CVE-2020-139562024-07-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Apache HttpClient) — CVE-2020-139562023-10-15

💬Community

1
Bugzilla
CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs2020-10-08