Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-13956

Опубликовано: 08 окт. 2020
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Отчет

In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low. In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix. In the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective httpcomponents-client component.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6httpclientOut of support scope
Red Hat build of OpenJDK 11openjdk/openjdk-11-rhel7Affected
Red Hat build of OpenJDK 1.8redhat-openjdk-18/openjdk18-openshiftAffected
Red Hat CodeReady Studio 12httpclientWill not fix
Red Hat Enterprise Linux 7httpcomponents-clientAffected
Red Hat Enterprise Linux 9httpcomponents-clientNot affected
Red Hat Integration Service RegistryhttpclientNot affected
Red Hat JBoss A-MQ 6httpclientOut of support scope
Red Hat JBoss BRMS 5httpclientOut of support scope
Red Hat JBoss BRMS 6httpclientOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1886587apache-httpclient: incorrect handling of malformed authority component in request URIs

EPSS

Процентиль: 66%
0.00519
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-13956

CVSS3: 5.3
ubuntu
больше 4 лет назад

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

nvd логотип

CVE-2020-13956

CVSS3: 5.3
nvd
больше 4 лет назад

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

debian логотип

CVE-2020-13956

CVSS3: 5.3
debian
больше 4 лет назад

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misin ...

suse-cvrf логотип

SUSE-SU-2024:4036-1

suse-cvrf
9 месяцев назад

Security update for httpcomponents-client, httpcomponents-core

rocky логотип

RLSA-2022:1861

rocky
около 3 лет назад

Moderate: maven:3.5 security update

EPSS

Процентиль: 66%
0.00519
Низкий

5.3 Medium

CVSS3