低危 HttpClient 安全漏洞

CVE编号

CVE-2020-13956

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-12-03

漏洞描述

HttpClient是美国阿帕奇（Apache）基金会的一个 Java 编写的访问HTTP资源的客户端程序。该程序用于使用HTTP协议访问网络资源。 Apache HttpClient java.net.URI Authority Component存在安全漏洞，该漏洞允许攻击者访问敏感数据。

解决建议

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页：https://www.apache.org/

参考链接
https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa80...
https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a52...
https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7...
https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe...
https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe...
https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c9...
https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c9...
https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d...
https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd403632761...
https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f58...
https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f58...
https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca...
https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4be...
https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603...
https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5...
https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb37...
https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb37...
https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be...
https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a...
https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a...
https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074bed...
https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a53...
https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6...
https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e89...
https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fd...
https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8...
https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b2264...
https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b2264...
https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095...
https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d879...
https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d879...
https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2...
https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618...
https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4...
https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a9122404...
https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246...
https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a1...
https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d...
https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8...
https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8...
https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c3907...
https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851df...
https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644...
https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90...
https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c31...
https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8...
https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bb...
https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6...
https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bb...
https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bb...
https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e1...
https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e96...
https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc74080445...
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2...
https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed836...
https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80...
https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733...
https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062...
https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062...
https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153c...
https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3...
https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3...
https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef...
https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef...
https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb...
https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb...
https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a0...
https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254...
https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeaf...
https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b...
https://security.netapp.com/advisory/ntap-20220210-0002/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	apache	httpclient	*		Up to (excluding) 4.5.13
	运行在以下环境
	应用	apache	httpclient	*	From (including) 5.0.0	Up to (excluding) 5.0.3
	运行在以下环境
	系统	amazon_2	httpcomponents-client	*		Up to (excluding) 4.2.5-5.amzn2.0.1
	运行在以下环境
	系统	anolis_os_8	jsr-305	*		Up to (excluding) 1.16-2
	运行在以下环境
	系统	debian_10	httpcomponents-client	*		Up to (excluding) 4.5.7-1+deb10u1
	运行在以下环境
	系统	debian_11	httpcomponents-client	*		Up to (excluding) 4.5.13-1
	运行在以下环境
	系统	debian_12	httpcomponents-client	*		Up to (excluding) 4.5.13-1
	运行在以下环境
	系统	debian_9	httpcomponents-client	*		Up to (excluding) 4.5.2-2+deb9u1
	运行在以下环境
	系统	debian_sid	httpcomponents-client	*		Up to (excluding) 4.5.13-1
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.1.1-2.module+el8+5161+5cac467c

阿里云评分 3.2

• 攻击路径 远程
• 攻击复杂度 复杂
• 权限要求 无需权限
• 影响范围 有限影响
• EXP成熟度 未验证
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 100

CWE-ID	漏洞类型
NVD-CWE-noinfo

Exp相关链接

- avd.aliyun.com