CVE-2022-29631: Server-Side Request Forgery in Jodd HTTP
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11257%
CWE
Published
6/7/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jodd:jodd-http | maven | >= 5.0.0, < 6.2.1 | 6.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key functions:
- The path() method used URLEncoder (which encodes spaces as '+' and doesn't handle CRLF) instead of proper percent-encoding via URLCoder, allowing injection in the request line.
- The send() method propagated these unencoded values into the final HTTP payload. The patch explicitly replaced URLEncoder with URLCoder.encodePath in the path() method and added CRLF injection tests, confirming these as the injection points. The GitHub issue's PoC demonstrates exploitation via these methods.