CVE-2020-13956
httpcomponents-client - security update
5.3
MEDIUM
CVSS 3.1
EPSS 0.51%
Description
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
How to fix CVE-2020-13956
To remediate CVE-2020-13956, upgrade the affected package to a fixed version below.
- Debian/httpcomponents-client—upgrade to 4.5.13-1 or later
- —upgrade to 4.5.2-2+deb9u1 or later
- —upgrade to 4.5.7-1+deb10u1 or later
- —upgrade to 4.5.13 or later
Is CVE-2020-13956 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 4.5.13-1
- from 0, < 4.5.2-2+deb9u1
- from 0, < 4.5.7-1+deb10u1
- from 0, < 4.5.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |