Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NApache Httpclient
APPApache< 4.5.135.0.0 – 5.0.3 (bez)Netapp Active Iq Unified Manager
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeOracle Commerce Guided Search
APPOracle11.3.2Oracle Communications Cloud Native Core Service Communication Proxy
APPOracle1.14.0Oracle Data Integrator
APPOracle12.2.1.3.012.2.1.4.0Oracle Jd Edwards Enterpriseone Orchestrator
APPOracle< 9.2.6.0Oracle Jd Edwards Enterpriseone Tools
APPOracle< 9.2.6.0Oracle Nosql Database
APPOracle< 20.3Oracle Peoplesoft Enterprise Peopletools
APPOracle8.578.58Oracle Peoplesoft Enterprise Pt Peopletools
APPOracle8.578.588.59Oracle Primavera Unifier
APPOracle16.116.218.819.1220.1217.7 – 17.12Oracle Retail Customer Management And Segmentation Foundation
APPOracle16.0 – 19.0Oracle Spatial Studio
APPOracle< 20.1.1Oracle Sql Developer
APPOracle< 20.4.1.407.0006< 21.99Oracle Weblogic Server
APPOracle12.2.1.4.014.1.1.0.0Quarkus
APPQuarkus< 1.7.6
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
References
Related vulnerabilities
CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)
CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...
CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...
CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...