Community
Participate
Working Groups
Hi Team, MAT is dependent on Apache HTTP Client org.apache.httpcomponents. httpclient_4.5.10. v20200114-1512.jar This jar file has a security Vulnerabilitie - CVE-2020-13956 CVE-2020-13956 - Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Could you please upgrade and fix this.
Thanks for the report. Stand-alone MAT is built against Eclipse 2020-03 from which comes this component. If we build against Eclipse 2021-03 then this still has an older version: https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/releases/2021-03/index/org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.html Ideally Eclipse would be updated and then we would build against a later Eclipse, though this would force MAT to be run with JDK11 or later as the prereq for Eclipse has increased. I don't know of the effect of this vulnerability in MAT. There is not much remote access done by MAT except for install/updates through the Eclipse p2 mechanism and also remote help. Do these go through HttpClient?
Memory Analyzer 1.12 now has org.apache.httpcomponents.httpclient_4.5.13.v20210128-2225.jar so this is fixed.