// For flags

CVE-2020-13956

apache-httpclient: incorrect handling of malformed authority component in request URIs

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Apache HttpClient versiones anteriores a 4.5.13 y 5.0.3, pueden interpretar inapropiadamente el componente authority malformado en las peticiones URI pasadas ??a la biblioteca como objeto java.net.URI y elegir el host de destino equivocado para una ejecuciĆ³n de la peticiĆ³n

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-06-08 CVE Reserved
  • 2020-10-28 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
References (65)
URL Tag Source
https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457%40%3Cdev.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d%40%3Ccommits.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303%40%3Cgitbox.hive.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707%40%3Ccommits.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e%40%3Ccommits.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89%40%3Cdev.jackrabbit.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90%40%3Cissues.hive.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d%40%3Ccommits.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f%40%3Ccommits.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec%40%3Cissues.bookkeeper.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b%40%3Cissues.maven.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b%40%3Cissues.maven.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673%40%3Cissues.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17%40%3Cdev.jackrabbit.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587%40%3Cissues.maven.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4%40%3Cgitbox.hive.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858%40%3Cissues.hive.apache.org%3E Mailing List
https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625%40%3Cissues.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca%40%3Cissues.bookkeeper.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f%40%3Cdev.ranger.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1%40%3Ccommits.creadur.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624%40%3Cissues.solr.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3%40%3Cissues.hive.apache.org%3E Mailing List
https://security.netapp.com/advisory/ntap-20220210-0002 Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory
URL Date SRC
URL Date SRC
https://www.oracle.com//security-alerts/cpujul2021.html 2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html 2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html 2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html 2023-11-07
URL Date SRC
https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E 2023-11-07
https://access.redhat.com/security/cve/CVE-2020-13956 2023-06-29
https://bugzilla.redhat.com/show_bug.cgi?id=1886587 2023-06-29
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Httpclient
Search vendor "Apache" for product "Httpclient"
 < 4.5.13
Search vendor "Apache" for product "Httpclient" and version " < 4.5.13"
-
Affected
Apache
Search vendor "Apache"
 Httpclient
Search vendor "Apache" for product "Httpclient"
 >= 5.0.0 < 5.0.3
Search vendor "Apache" for product "Httpclient" and version " >= 5.0.0 < 5.0.3"
-
Affected
Quarkus
Search vendor "Quarkus"
 Quarkus
Search vendor "Quarkus" for product "Quarkus"
 < 1.7.6
Search vendor "Quarkus" for product "Quarkus" and version " < 1.7.6"
-
Affected
Oracle
Search vendor "Oracle"
 Data Integrator
Search vendor "Oracle" for product "Data Integrator"
 12.2.1.3.0
Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Data Integrator
Search vendor "Oracle" for product "Data Integrator"
 12.2.1.4.0
Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Jd Edwards Enterpriseone Orchestrator
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator"
 < 9.2.6.0
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
 Jd Edwards Enterpriseone Tools
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"
 < 9.2.6.0
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
 Nosql Database
Search vendor "Oracle" for product "Nosql Database"
 < 20.3
Search vendor "Oracle" for product "Nosql Database" and version " < 20.3"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
 8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
 8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Pt Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools"
 8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Pt Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools"
 8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
 Peoplesoft Enterprise Pt Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools"
 8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Pt Peopletools" and version "8.59"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 >= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 16.1
Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 16.2
Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 19.12
Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"
-
Affected
Oracle
Search vendor "Oracle"
 Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
 20.12
Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Customer Management And Segmentation Foundation
Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation"
 >= 16.0 <= 19.0
Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version " >= 16.0 <= 19.0"
-
Affected
Oracle
Search vendor "Oracle"
 Spatial Studio
Search vendor "Oracle" for product "Spatial Studio"
 < 20.1.1
Search vendor "Oracle" for product "Spatial Studio" and version " < 20.1.1"
-
Affected
Oracle
Search vendor "Oracle"
 Sql Developer
Search vendor "Oracle" for product "Sql Developer"
 < 20.4.1.407.0006
Search vendor "Oracle" for product "Sql Developer" and version " < 20.4.1.407.0006"
-
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-linux
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
 Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-windows
Affected
Netapp
Search vendor "Netapp"
 Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Oracle
Search vendor "Oracle"
 Commerce Guided Search
Search vendor "Oracle" for product "Commerce Guided Search"
 11.3.2
Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"
-
Affected
Oracle
Search vendor "Oracle"
 Communications Cloud Native Core Service Communication Proxy
Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"
 1.14.0
Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.14.0"
-
Affected
Oracle
Search vendor "Oracle"
 Sql Developer
Search vendor "Oracle" for product "Sql Developer"
 < 21.99
Search vendor "Oracle" for product "Sql Developer" and version " < 21.99"
-
Affected
Oracle
Search vendor "Oracle"
 Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
 12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
 14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected