CVE-2020-13956
Request URI Misinterpretation vulnerability in httpclient (Maven)
What is CVE-2020-13956 About?
This vulnerability affects Apache HttpClient versions prior to 4.5.13 and 5.0.3, allowing it to misinterpret malformed authority components in request URIs. This can lead to requests being sent to unintended target hosts, potentially enabling request smuggling or data leakage. Exploitation involves crafting specific malformed URIs, which is moderately easy.
Affected Software
- org.apache.httpcomponents:httpclient
- <4.5.13
- >5.0.0, <5.0.3
Technical Details
The vulnerability lies in how Apache HttpClient, specifically versions prior to 4.5.13 and 5.0.3, parses java.net.URI objects provided as request URIs. When a URI contains a malformed authority component, the HttpClient can misinterpret the intended target host. This misinterpretation can cause the library to connect to and send the HTTP request to an incorrect host, different from what the application intended. This can be leveraged by an attacker by carefully crafting the URI to redirect requests to an attacker-controlled server, or to an internal service not meant to be directly accessed, potentially leading to information disclosure, server-side request forgery (SSRF), or other forms of data leakage.
What is the Impact of CVE-2020-13956?
Successful exploitation may allow attackers to redirect requests to arbitrary hosts, potentially enabling Server-Side Request Forgery (SSRF), data leakage, or unauthorized access to internal services.
What is the Exploitability of CVE-2020-13956?
Exploiting this vulnerability typically involves a low to moderate level of complexity. The primary prerequisite is that the application uses a vulnerable version of Apache HttpClient to process external or user-controlled URIs. No specific authentication or privilege requirements are mentioned, indicating that the vulnerability could be exploited by unauthenticated users if the URI input is directly exposed. This is a remote attack, requiring the attacker to provide a specially crafted URI to the application that uses the vulnerable HttpClient. Special conditions include the URI having a 'malformed authority component' which triggers the misinterpretation. The exploitation likelihood increases if the application constructs URIs from untrusted input without proper validation or sanitization, or if the HttpClient is used in scenarios where precise host targeting is critical.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13956?
Available Upgrade Options
- org.apache.httpcomponents:httpclient
- <4.5.13 → Upgrade to 4.5.13
- org.apache.httpcomponents:httpclient
- >5.0.0, <5.0.3 → Upgrade to 5.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E
- https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-13956?
Similar Vulnerabilities: CVE-2020-1945 , CVE-2021-38297 , CVE-2019-20445 , CVE-2022-26377 , CVE-2022-42889
