CVE-2020-13956
Published: 2 December 2020
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
httpcomponents-client Launchpad, Ubuntu, Debian |
bionic |
Released
(4.5.5-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
| focal |
Released
(4.5.11-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(4.5.13-1)
|
|
| impish |
Not vulnerable
(4.5.13-1)
|
|
| jammy |
Not vulnerable
(4.5.13-1)
|
|
| kinetic |
Not vulnerable
(4.5.13-1)
|
|
| lunar |
Not vulnerable
(4.5.13-1)
|
|
| mantic |
Not vulnerable
(4.5.13-1)
|
|
| trusty |
Released
(4.3.3-1ubuntu0.1+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(4.5.13-1)
|
|
| xenial |
Released
(4.5.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
|
Patches: upstream: https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |