GHSA-7r82-7xv7-xcpj

Suggest an improvement
Source
https://github.com/advisories/GHSA-7r82-7xv7-xcpj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7r82-7xv7-xcpj
Aliases
Related
Published
2021-06-03T23:40:23Z
Modified
2024-03-15T05:19:17.323914Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Cross-site scripting in Apache HttpClient
Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Database specific
{
    "nvd_published_at": "2020-12-02T17:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-12T22:25:52Z"
}
References

Affected packages

Maven / org.apache.httpcomponents:httpclient

Package

Name
org.apache.httpcomponents:httpclient
View open source insights on deps.dev
Purl
pkg:maven/org.apache.httpcomponents/httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.13

Affected versions

4.*

4.0-alpha1
4.0-alpha2
4.0-alpha3
4.0-alpha4
4.0-beta1
4.0-beta2
4.0
4.0.1
4.0.2
4.0.3
4.1-alpha1
4.1-alpha2
4.1-beta1
4.1
4.1.1
4.1.2
4.1.3
4.2-alpha1
4.2-beta1
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.3-alpha1
4.3-beta1
4.3-beta2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.4-alpha1
4.4-beta1
4.4
4.4.1
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12

Maven / org.apache.httpcomponents:httpclient

Package

Name
org.apache.httpcomponents:httpclient
View open source insights on deps.dev
Purl
pkg:maven/org.apache.httpcomponents/httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.3