Miggo Logo

CVE-2022-29631: Server-Side Request Forgery in Jodd HTTP

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.11257%
Published
6/7/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jodd:jodd-httpmaven>= 5.0.0, < 6.2.16.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. The path() method used URLEncoder (which encodes spaces as '+' and doesn't handle CRLF) instead of proper percent-encoding via URLCoder, allowing injection in the request line.
  2. The send() method propagated these unencoded values into the final HTTP payload. The patch explicitly replaced URLEncoder with URLCoder.encodePath in the path() method and added CRLF injection tests, confirming these as the injection points. The GitHub issue's PoC demonstrates exploitation via these methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Jo** *TTP v*.*.* w*s *is*ov*r** to *ont*in multipl* *LR* inj**tion vuln*r**iliti*s vi* t** *ompon*nts jo**.*ttp.*ttpR*qu*st#s*t *n* `jo**.*ttp.*ttpR*qu*st#s*n*. T**s* vuln*r**iliti*s *llow *tt**k*rs to *x**ut* S*rv*r-Si** R*qu*st *or**ry (SSR*) vi* *

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. T** p*t*() m*t*o* us** URL*n*o**r (w*i** *n*o**s sp***s *s '+' *n* *o*sn't **n*l* *RL*) inst*** o* prop*r p*r**nt-*n*o*in* vi* URL*o**r, *llowin* inj**tion in t** r*qu*st lin*. *. T** s*n*() m*t*o*