Yu-Wen Lai created HIVE-24837: --------------------------------- Summary: Upgrade httpclient to 4.5.13+ due to CVE-2020-13956 Key: HIVE-24837 URL: https://issues.apache.org/jira/browse/HIVE-24837 Project: Hive Issue Type: Improvement Reporter: Yu-Wen Lai Assignee: Yu-Wen Lai
Hive is using httpclients 4.5.6. We will need to upgrade httpclient and httpcore. {quote}CVSSv2: Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3: Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-13956: Apache HttpClient incorrect handling of malformed authority component in request URIs Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache HttpClient 4.5.12 and prior Apache HttpClient 5.0.2 and prior Description: Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Mitigation: As of release 4.5.13 and 5.0.3 HttpClient will reject URIs with ambiguous malformed authority component as invalid. Users of HttpClient are advised to upgrade to version 4.5.13 or 5.0.3 and sanitize request URIs when using java.net.URI as input. Credit: This issue was discovered and reported by Priyank Nigam {quote} Reference: * [https://www.openwall.com/lists/oss-security/2020/10/08/4] * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956] * [https://nvd.nist.gov/vuln/detail/CVE-2020-13956] -- This message was sent by Atlassian Jira (v8.3.4#803005)