Home

CVE-2020-13956

Description

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
0.505

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0Windows
Vulnerabilities CVE-2020-13956 are fixed in Apache-httpclient 4.5.13Windows
Vulnerabilities CVE-2020-13956 are fixed in Apache-httpclient 5.0.3Windows
Multiple Vulnerabilities are affected in IBM EntireX 11.1Windows
Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58Windows
Multiple vulnerabilities are affected in Oracle Commerce Platform 11.3.0Windows
Multiple vulnerabilities are affected in Oracle Commerce Platform 11.3.1Windows
Multiple vulnerabilities are affected in Oracle Commerce Platform 11.3.2Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 10.5Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 10.6Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.3Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.4Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.5Windows
Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.6Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.5Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.1.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.4Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.5.2Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1Windows
(RHSA-2022:1860) maven:3.6 security and enhancement update aopalliance-1.0-20.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update apache-commons-cli-1.4-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update apache-commons-codec-1.13-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update apache-commons-lang3-3.9-4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update atinject-1-31.20100611svn86.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update cdi-api-2.0.1-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update geronimo-annotation-1.0-26.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update google-guice-4.2.2-4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update httpcomponents-client-4.5.10-4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update httpcomponents-core-4.4.12-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update jansi-1.18-4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update jcl-over-slf4j-1.7.28-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update jsoup-1.12.1-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update jsr-305-0-0.25.20130910svn.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-3.6.2-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-lib-3.6.2-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-openjdk11-3.6.2-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-openjdk17-3.6.2-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-openjdk8-3.6.2-7.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-resolver-1.4.1-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-shared-utils-3.2.1-0.4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update maven-wagon-3.3.4-2.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-cipher-1.7-17.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-classworlds-2.6.0-4.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-containers-component-annotations-2.1.0-2.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-interpolation-1.26-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-sec-dispatcher-1.4-29.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update plexus-utils-3.3.0-3.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1860) maven:3.6 security and enhancement update sisu-0.3.4-2.module+el8.6.0+13337+afcb49ec.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update aopalliance-1.0-17.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update apache-commons-cli-1.4-4.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update apache-commons-codec-1.11-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update apache-commons-io-2.6-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update apache-commons-lang3-3.7-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update atinject-1-28.20100611svn86.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update cdi-api-1.2-8.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update geronimo-annotation-1.0-23.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update glassfish-el-api-3.0.1-0.7.b08.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update google-guice-4.1-11.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update guava20-20.0-8.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update hawtjni-runtime-1.16-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update httpcomponents-client-4.5.5-5.module+el8.6.0+13298+7b5243c0.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update httpcomponents-core-4.4.10-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update jansi-1.17.1-1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update jansi-native-1.7-7.module+el8+2452+b359bfcd.x86_64.rpmLinux
(RHSA-2022:1861) maven:3.5 security update jboss-interceptors-1.2-api-1.0.0-8.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update jcl-over-slf4j-1.7.25-4.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update jsoup-1.11.3-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-3.5.4-5.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-lib-3.5.4-5.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-api-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-connector-basic-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-impl-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-spi-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-transport-wagon-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-resolver-util-1.1.1-2.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-shared-utils-3.2.1-0.1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-wagon-file-3.1.0-1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-wagon-http-3.1.0-1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-wagon-http-shared-3.1.0-1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update maven-wagon-provider-api-3.1.0-1.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-cipher-1.7-14.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-classworlds-2.5.2-9.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-containers-component-annotations-1.7.1-8.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-interpolation-1.22-9.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-sec-dispatcher-1.4-26.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update plexus-utils-3.1.0-3.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update sisu-inject-0.3.3-6.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update sisu-plexus-0.3.3-6.module+el8+2452+b359bfcd.noarch.rpmLinux
(RHSA-2022:1861) maven:3.5 security update slf4j-1.7.25-4.module+el8+2452+b359bfcd.noarch.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-base-5.14.21-150400.24.49.3.150400.24.19.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-debuginfo-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-debugsource-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-devel-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-devel-debuginfo-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-obs-build-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-obs-build-debugsource-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-syms-5.14.21-150400.24.49.4.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Legacy Module 15-SP4 ) reiserfs-kmp-default-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Legacy Module 15-SP4 ) reiserfs-kmp-default-debuginfo-5.14.21-150400.24.49.3.x86_64.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-devel-5.14.21-150400.24.49.4.noarch.rpmLinux
SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-docs-5.14.21-150400.24.49.4.noarch.rpmLinux
SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-macros-5.14.21-150400.24.49.4.noarch.rpmLinux
SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-source-5.14.21-150400.24.49.4.noarch.rpmLinux
maven:3.6 security and enhancement update (RLSA-2022:1860) maven-openjdk8-3.6.2-7.module+el8.6.0+844+4401f2ed.noarch.rpmLinux
maven:3.6 security and enhancement update (RLSA-2022:1860) maven-openjdk11-3.6.2-7.module+el8.6.0+844+4401f2ed.noarch.rpmLinux
maven:3.6 security and enhancement update (RLSA-2022:1860) maven-openjdk17-3.6.2-7.module+el8.6.0+844+4401f2ed.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) jansi-1.17.1-1.module+el8.3.0+241+f23502a8.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) jsoup-1.11.3-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) maven-3.5.4-5.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) slf4j-1.7.25-4.module+el8.5.0+697+f586bb30.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) cdi-api-1.2-8.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) atinject-1-28.20100611svn86.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) maven-lib-3.5.4-5.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) aopalliance-1.0-17.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) google-guice-4.1-11.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-utils-3.1.0-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-cipher-1.7-14.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) jcl-over-slf4j-1.7.25-4.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) glassfish-el-api-3.0.1-0.7.b08.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) apache-commons-io-2.6-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) apache-commons-cli-1.4-4.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-classworlds-2.5.2-9.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) geronimo-annotation-1.0-23.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) httpcomponents-core-4.4.10-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) apache-commons-codec-1.11-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) apache-commons-lang3-3.7-3.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-interpolation-1.22-9.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) httpcomponents-client-4.5.5-5.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-sec-dispatcher-1.4-26.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
maven:3.5 security update (RLSA-2022:1861) plexus-containers-component-annotations-1.7.1-8.module+el8.6.0+843+5a13dac3.noarch.rpmLinux
httpcomponents-client Security Update (ALAS-2023-1946) httpcomponents-client-4.2.5-5.amzn2.0.1.noarch.rpmLinux
httpcomponents-client Security Update (ALAS-2023-1946) httpcomponents-client-javadoc-4.2.5-5.amzn2.0.1.noarch.rpmLinux
SUSE-SU-2024:4036-1(Development Tools Module 15-SP6) httpcomponents-client-4.5.14-150200.3.9.1.noarch.rpmLinux
SUSE-SU-2024:4036-1(Development Tools Module 15-SP5) httpcomponents-core-4.4.14-150200.3.9.1.noarch.rpmLinux
SUSE-SU-2024:4036-1(Development Tools Module 15-SP6) httpcomponents-core-4.4.14-150200.3.9.1.noarch.rpmLinux
SUSE-SU-2024:4036-1(Development Tools Module 15-SP5) httpcomponents-client-4.5.14-150200.3.9.1.noarch.rpmLinux
Vulnerabilities CVE-2020-13956 are fixed in Apache-httpclient for Linux 4.5.13Linux
Vulnerabilities CVE-2020-13956 are fixed in Apache-httpclient for Linux 5.0.3Linux
httpcomponents-client Security Update (ALAS2-2023-1946) httpcomponents-client-4.2.5-5.amzn2.0.1.noarch.rpmLinux
httpcomponents-client Security Update (ALAS2-2023-1946) httpcomponents-client-javadoc-4.2.5-5.amzn2.0.1.noarch.rpmLinux
CVE-2020-13956NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234