====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN564
_____________________________________________________________________

DATE                : 12/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HttpClient versions prior to
                                        4.5.13, 5.0.3.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202010.mbox/%3c4202d88eabd0ad2a0287243b281cad1bd2b9b141.camel@apache.org%3e
_____________________________________________________________________

CVE-2020-13956: Apache HttpClient incorrect handling of malformed
authority component in request URIs

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache HttpClient 4.5.12 and prior
Apache HttpClient 5.0.2 and prior

Description:

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can
misinterpret malformed authority component in request URIs passed to
the library as java.net.URI object and pick the wrong target host for
request execution.

Mitigation:

As of release 4.5.13 and 5.0.3 HttpClient will reject URIs with
ambiguous malformed authority component as invalid. Users of HttpClient
are advised to upgrade to version 4.5.13 or 5.0.3 and sanitize request
URIs when using java.net.URI as input.

Credit:
This issue was discovered and reported by Priyank Nigam


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================