CVE-2020-13956 Overview
Apache HttpClient versions prior to 4.5.13 and 5.0.3 contain an improper input validation vulnerability that can misinterpret malformed authority components in request URIs passed to the library as java.net.URI objects. This misinterpretation can cause the HttpClient to pick the wrong target host for request execution, potentially leading to request routing to unintended destinations.
Critical Impact
Applications using vulnerable Apache HttpClient versions may inadvertently send HTTP requests to attacker-controlled servers due to URI parsing inconsistencies, potentially exposing sensitive data or enabling server-side request forgery (SSRF) attacks.
Affected Products
- Apache HttpClient versions prior to 4.5.13
- Apache HttpClient versions 5.x prior to 5.0.3
- Quarkus (multiple versions)
- Oracle Data Integrator 12.2.1.3.0 and 12.2.1.4.0
- Oracle JD Edwards EnterpriseOne Orchestrator and Tools
- Oracle NoSQL Database
- Oracle PeopleSoft Enterprise PeopleTools 8.57, 8.58, 8.59
- Oracle Primavera Unifier (multiple versions including 16.1, 16.2, 18.8, 19.12, 20.12)
- Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0
- Oracle SQL Developer
- Oracle Commerce Guided Search 11.3.2
- Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0
- NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
- NetApp SnapCenter
Discovery Timeline
- 2020-12-02 - CVE-2020-13956 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2020-13956
Vulnerability Analysis
This vulnerability stems from improper handling of the authority component within URIs processed by Apache HttpClient. When a malformed URI is passed to the library as a java.net.URI object, the parsing logic fails to correctly interpret the authority section, which includes the host, port, and optional user information. This misinterpretation can cause the HTTP client to route requests to an incorrect target host.
The vulnerability is particularly concerning in scenarios where user-controlled input influences URI construction. An attacker who can manipulate the URI structure may be able to redirect requests intended for a legitimate server to an attacker-controlled destination. This could result in sensitive information disclosure, credential theft, or serve as a vector for more sophisticated attacks such as SSRF.
The impact extends to data integrity, as requests may be processed by unintended servers. Enterprise environments utilizing Oracle and NetApp products that bundle the vulnerable HttpClient library face exposure through their dependency chains.
Root Cause
The root cause lies in insufficient validation of the authority component during URI parsing. The java.net.URI class and Apache HttpClient's internal parsing logic handle certain malformed authority strings differently, creating an inconsistency. When the HttpClient library extracts the target host from a URI object with an ambiguous or malformed authority component, it may resolve to an unexpected hostname.
This parsing discrepancy allows specially crafted URIs to bypass intended request routing, effectively redirecting HTTP traffic to hosts controlled by an attacker or unintended third parties.
Attack Vector
The attack requires network access and involves supplying a malformed URI to an application that uses the vulnerable Apache HttpClient library. The attacker crafts a URI with a deceptive authority component that exploits the parsing inconsistency between java.net.URI and Apache HttpClient.
When the application processes this malformed URI and initiates an HTTP request, the HttpClient library extracts the wrong host from the authority component. The resulting request is sent to the attacker's server instead of the intended destination.
Exploitation scenarios include:
- Applications that accept user-provided URLs for fetching remote resources
- Proxy or gateway services that route requests based on parsed URIs
- Integration services that construct URIs from multiple input sources
- Webhook handlers that make outbound requests to user-specified endpoints
The attack does not require authentication, as it exploits the parsing logic before any request authentication occurs. Successful exploitation could leak authentication tokens, API keys, or sensitive request data to attacker-controlled infrastructure.
Detection Methods for CVE-2020-13956
Indicators of Compromise
- Unexpected outbound HTTP connections to unknown or suspicious external hosts from applications using Apache HttpClient
- HTTP request logs showing requests to hosts that differ from application-configured endpoints
- Network traffic analysis revealing connections to IP addresses or domains not associated with legitimate application backends
- Application logs containing URI parsing errors or unexpected host resolution warnings
Detection Strategies
- Implement dependency scanning to identify Apache HttpClient versions prior to 4.5.13 or 5.0.3 in your software inventory
- Deploy network monitoring to detect anomalous outbound HTTP connections from Java applications
- Utilize Software Composition Analysis (SCA) tools to identify vulnerable HttpClient dependencies in both direct and transitive dependency trees
- Review application logs for URI processing anomalies or unexpected request destinations
Monitoring Recommendations
- Enable detailed logging for applications using Apache HttpClient to capture target host information for outbound requests
- Configure network security monitoring to alert on connections to hosts outside approved allowlists
- Implement egress filtering to restrict outbound HTTP connections to known, legitimate destinations
- Monitor for dependency updates in Maven, Gradle, or other build systems to ensure patched versions are adopted
How to Mitigate CVE-2020-13956
Immediate Actions Required
- Upgrade Apache HttpClient to version 4.5.13 or later for the 4.x branch
- Upgrade Apache HttpClient to version 5.0.3 or later for the 5.x branch
- Review and update all applications and services that include Apache HttpClient as a dependency
- Apply vendor patches for affected Oracle, NetApp, and Quarkus products as documented in their respective security advisories
Patch Information
Apache has released patched versions that correct the URI authority parsing behavior. Organizations should update to:
- Apache HttpClient 4.5.13 or later (for 4.x users)
- Apache HttpClient 5.0.3 or later (for 5.x users)
For downstream products, refer to vendor-specific advisories:
- Oracle CPU April 2021
- Oracle CPU July 2021
- Oracle CPU October 2021
- Oracle CPU January 2022
- Oracle CPU April 2022
- NetApp Security Advisory ntap-20220210-0002
Workarounds
- Implement strict input validation on all URIs before passing them to Apache HttpClient
- Validate that parsed URI host components match expected values using allowlists before initiating requests
- Deploy application-level egress filtering to restrict outbound connections to approved destinations only
- Consider wrapping HttpClient calls with additional host verification logic until patching is complete
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>org.apache.httpcomponents</groupId>
# <artifactId>httpclient</artifactId>
# <version>4.5.13</version>
# </dependency>
# Verify current HttpClient version in Maven project
mvn dependency:tree -Dincludes=org.apache.httpcomponents:httpclient
# Force dependency update
mvn versions:use-latest-versions -Dincludes=org.apache.httpcomponents:httpclient
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
