MEDIUM✓ PATCH🇬🇧 English

CVE-2020-13956

CVSS 5.3v3.1pub. 2020-12-02upd. 2025-12-01

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Apache Httpclient

    APP
    Apache
    < 4.5.135.0.0 – 5.0.3 (bez)
  • Netapp Active Iq Unified Manager

    APP
    Netapp
    wszystkie wersje
  • Netapp Snapcenter

    APP
    Netapp
    wszystkie wersje
  • Oracle Commerce Guided Search

    APP
    Oracle
    11.3.2
  • Oracle Communications Cloud Native Core Service Communication Proxy

    APP
    Oracle
    1.14.0
  • Oracle Data Integrator

    APP
    Oracle
    12.2.1.3.012.2.1.4.0
  • Oracle Jd Edwards Enterpriseone Orchestrator

    APP
    Oracle
    < 9.2.6.0
  • Oracle Jd Edwards Enterpriseone Tools

    APP
    Oracle
    < 9.2.6.0
  • Oracle Nosql Database

    APP
    Oracle
    < 20.3
  • Oracle Peoplesoft Enterprise Peopletools

    APP
    Oracle
    8.578.58
  • Oracle Peoplesoft Enterprise Pt Peopletools

    APP
    Oracle
    8.578.588.59
  • Oracle Primavera Unifier

    APP
    Oracle
    16.116.218.819.1220.1217.7 – 17.12
  • Oracle Retail Customer Management And Segmentation Foundation

    APP
    Oracle
    16.0 – 19.0
  • Oracle Spatial Studio

    APP
    Oracle
    < 20.1.1
  • Oracle Sql Developer

    APP
    Oracle
    < 20.4.1.407.0006< 21.99
  • Oracle Weblogic Server

    APP
    Oracle
    12.2.1.4.014.1.1.0.0
  • Quarkus

    APP
    Quarkus
    < 1.7.6
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...