wid-sec-w-2022-0044
Vulnerability from csaf_certbund
Published
2020-10-07 22:00
Modified
2024-05-16 22:00
Summary
Apache HttpComponents: Schwachstelle ermöglicht Täuschung des Nutzers
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache HttpComponents ist ein Toolset von HTTP Java Komponenten.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache HttpComponents ausnutzen, um den Nutzer zu täuschen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache HttpComponents ist ein Toolset von HTTP Java Komponenten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache HttpComponents ausnutzen, um den Nutzer zu t\u00e4uschen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0044 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0044.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0044 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0044"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:1044 vom 2021-03-30",
"url": "https://access.redhat.com/errata/RHSA-2021:1044"
},
{
"category": "external",
"summary": "Mailing list OSS-Security vom 2020-10-08",
"url": "https://www.openwall.com/lists/oss-security/2020/10/08/4"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-2405 vom 2020-10-10",
"url": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202010/msg00017.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-4772 vom 2020-10-15",
"url": "https://www.debian.org/security/2020/dsa-4772"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-4773 vom 2020-10-17",
"url": "https://lists.debian.org/debian-security-announce/2020/msg00180.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0084 vom 2021-01-12",
"url": "https://access.redhat.com/errata/RHSA-2021:0084"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0247 vom 2021-01-25",
"url": "https://access.redhat.com/errata/RHSA-2021:0247"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0246 vom 2021-01-25",
"url": "https://access.redhat.com/errata/RHSA-2021:0246"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0248 vom 2021-01-25",
"url": "https://access.redhat.com/errata/RHSA-2021:0248"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0250 vom 2021-01-25",
"url": "https://access.redhat.com/errata/RHSA-2021:0250"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0603 vom 2021-02-17",
"url": "https://access.redhat.com/errata/RHSA-2021:0603"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2021-111 vom 2021-02-19",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-111/index.html"
},
{
"category": "external",
"summary": "RedHat Security Advisory",
"url": "https://access.redhat.com/errata/RHSA-2021:0811"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0811 vom 2021-03-11",
"url": "https://access.redhat.com/errata/RHSA-2021:0811"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3140 vom 2021-08-11",
"url": "https://access.redhat.com/errata/RHSA-2021:3140"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3700 vom 2021-09-30",
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:4100 vom 2021-11-02",
"url": "https://access.redhat.com/errata/RHSA-2021:4100"
},
{
"category": "external",
"summary": "AVAYA Security Advisory ASA-2022-073 vom 2022-06-01",
"url": "https://downloads.avaya.com/css/P8/documents/101082111"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2022-1861 vom 2022-05-17",
"url": "https://linux.oracle.com/errata/ELSA-2022-1861.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:0722 vom 2022-03-01",
"url": "https://access.redhat.com/errata/RHSA-2022:0722"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1860 vom 2022-05-10",
"url": "https://access.redhat.com/errata/RHSA-2022:1860"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1861 vom 2022-05-10",
"url": "https://access.redhat.com/errata/RHSA-2022:1861"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6826619 vom 2022-10-05",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-httpclient-affects-ibm-tivoli-business-service-manager-cve-2020-13956/"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2023-1946 vom 2023-02-22",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1946.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6963075 vom 2023-03-13",
"url": "https://www.ibm.com/support/pages/node/6963075"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29",
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7011383 vom 2023-07-12",
"url": "https://www.ibm.com/support/pages/node/7011383"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7037815 vom 2023-09-22",
"url": "https://www.ibm.com/support/pages/node/7037815"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2024-208 vom 2024-05-07",
"url": "https://www.dell.com/support/kbdoc/000224800/dsa-2024-="
},
{
"category": "external",
"summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
"url": "https://www.ibm.com/support/pages/node/7153639"
}
],
"source_lang": "en-US",
"title": "Apache HttpComponents: Schwachstelle erm\u00f6glicht T\u00e4uschung des Nutzers",
"tracking": {
"current_release_date": "2024-05-16T22:00:00.000+00:00",
"generator": {
"date": "2024-05-17T08:33:36.708+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2022-0044",
"initial_release_date": "2020-10-07T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-10-07T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-10-11T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2020-10-14T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2020-10-18T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2021-01-12T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-01-25T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-02-17T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-02-21T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2021-03-11T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-03-30T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-08-11T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-09-29T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-11-02T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-03-01T23:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-05-10T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-05-17T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2022-06-02T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von AVAYA aufgenommen"
},
{
"date": "2022-10-04T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-02-22T23:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2023-03-13T23:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-06-29T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-07-11T22:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-09-24T22:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2024-05-06T22:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2024-05-16T22:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "25"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.13",
"product": {
"name": "Apache HttpComponents \u003c4.5.13",
"product_id": "T017445",
"product_identification_helper": {
"cpe": "cpe:/a:apache:http_components:4.5.13"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.0.3",
"product": {
"name": "Apache HttpComponents \u003c5.0.3",
"product_id": "T017446",
"product_identification_helper": {
"cpe": "cpe:/a:apache:http_components:5.0.3"
}
}
}
],
"category": "product_name",
"name": "HttpComponents"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "Avaya Aura Application Enablement Services",
"product": {
"name": "Avaya Aura Application Enablement Services",
"product_id": "T015516",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_application_enablement_services:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Communication Manager",
"product": {
"name": "Avaya Aura Communication Manager",
"product_id": "T015126",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:communication_manager:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Experience Portal",
"product": {
"name": "Avaya Aura Experience Portal",
"product_id": "T015519",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_experience_portal:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Session Manager",
"product": {
"name": "Avaya Aura Session Manager",
"product_id": "T015127",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:session_manager:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura System Manager",
"product": {
"name": "Avaya Aura System Manager",
"product_id": "T015518",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_system_manager:-"
}
}
}
],
"category": "vendor",
"name": "Avaya"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Server \u003c19.9.0.6",
"product": {
"name": "Dell NetWorker Server \u003c19.9.0.6",
"product_id": "T034567",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:server__19.9.0.6"
}
}
}
],
"category": "product_name",
"name": "NetWorker"
}
],
"category": "vendor",
"name": "Dell"
},
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "11.3",
"product": {
"name": "IBM Security Guardium 11.3",
"product_id": "1048943",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_guardium:11.3"
}
}
}
],
"category": "product_name",
"name": "Security Guardium"
},
{
"category": "product_name",
"name": "IBM Spectrum Protect",
"product": {
"name": "IBM Spectrum Protect",
"product_id": "T013661",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_protect:-"
}
}
},
{
"category": "product_name",
"name": "IBM Tivoli Business Service Manager",
"product": {
"name": "IBM Tivoli Business Service Manager",
"product_id": "T014092",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_business_service_manager:6.2.0"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "for Virtual Environments Agent for Linux Kernel-based Virtual Machines",
"product": {
"name": "IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines",
"product_id": "T028553",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_monitoring:for_virtual_environments_agent_for_linux_kernel-based_virtual_machines"
}
}
}
],
"category": "product_name",
"name": "Tivoli Monitoring"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13956",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Apache HttpComponents. Der \"HttpClient\" pr\u00fcft URLs nicht ausreichend. Ein Angreifer kann mit einer speziell manipulierten URL daf\u00fcr sorgen, dass ein anderer als der in der URL angezeigter Host kontaktiert wird. Zur erfolgreichen Ausnutzung dieser Schwachstelle ist je nach nutzender Anwendung eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T015519",
"T034567",
"T015518",
"1048943",
"67646",
"T015516",
"T015127",
"T015126",
"T004914",
"T013661",
"T017562",
"2951",
"T014092",
"398363",
"T028553"
]
},
"release_date": "2020-10-07T22:00:00Z",
"title": "CVE-2020-13956"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.