Vulnerability Description
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Httpclient | < 4.5.13 |
| Quarkus | Quarkus | < 1.7.6 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | < 9.2.6.0 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.0 |
| Oracle | Nosql Database | < 20.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Pt Peopletools | 8.57 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | >= 16.0, <= 19.0 |
| Oracle | Spatial Studio | < 20.1.1 |
| Oracle | Sql Developer | < 20.4.1.407.0006 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Snapcenter | - |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Weblogic Server | 12.2.1.4.0 |
References
- https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8
- https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a52286
- https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac
- https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7
- https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90da
- https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41e
- https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610ea
- https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7
- https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cc
- https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52
- https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3f
- https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83
- https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f1
- https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601
- https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b
FAQ
What is CVE-2020-13956?
CVE-2020-13956 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host ...
How severe is CVE-2020-13956?
CVE-2020-13956 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13956?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Httpclient, Quarkus Quarkus, Oracle Data Integrator, Oracle Jd Edwards Enterpriseone Orchestrator, Oracle Jd Edwards Enterpriseone Tools.