Apache HttpClient 4.5.13 currently depends on Apache Commons Codec 1.11 which is vulnerable to WS-2019-0379.
The issue has been resolved in Apache Commons Codec 1.13 (
HTTPCLIENT-2072 Security vulnerability with apache commons-code 1.11, upgrade to 1.13
- is caused by
CODEC-134 Base32 would decode some invalid Base32 encoded string into arbitrary value