CVE-2020-13956
Published: 2 December 2020
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Priority
Status
Package | Release | Status |
---|---|---|
httpcomponents-client Launchpad, Ubuntu, Debian |
bionic |
Released
(4.5.5-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
focal |
Released
(4.5.11-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(4.5.13-1)
|
|
impish |
Not vulnerable
(4.5.13-1)
|
|
jammy |
Not vulnerable
(4.5.13-1)
|
|
kinetic |
Not vulnerable
(4.5.13-1)
|
|
lunar |
Not vulnerable
(4.5.13-1)
|
|
mantic |
Not vulnerable
(4.5.13-1)
|
|
trusty |
Released
(4.3.3-1ubuntu0.1+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(4.5.13-1)
|
|
xenial |
Released
(4.5.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
Patches: upstream: https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |