Bugzilla – Bug 1177488
VUL-0: CVE-2020-13956: apache-commons-httpclient,jakarta-commons-httpclient3: incorrect handling of malformed URI authority component
Last modified: 2020-10-08 22:11:36 UTC
CVE-2020-13956 Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Versions Affected: Apache HttpClient 4.5.12 and prior Apache HttpClient 5.0.2 and prior References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13956 http://seclists.org/oss-sec/2020/q4/34
Relevant diff: https://github.com/apache/httpcomponents-client/compare/rel/v5.0.2...rel/v5.0.3
Upstream implemented two test cases: >Assert.assertEquals(null, > URIUtils.extractHost(new URI("http://blah@goggle.com:80@google.com/"))); > >Assert.assertEquals(null, > URIUtils.extractHost(new URI("http://localhost:;sessionid=stuff/abcd"))); We ship a very old version of apache-common-httpclient. Its URIUtil class does not contain an equivalent to URIUtils.extractHost(). The closest function would be: >new URI("http://blah@goggle.com:80@google.com/", false).getHost(); >new URI("http://localhost:;sessionid=stuff/abcd", false).getHost(); Both test cases raise an exception: >org.apache.commons.httpclient.URIException: invalid port number I conclude that we are not affected.