Miggo Logo
Miggo Vulnerability Database
CVE-2022-29631

CVE-2022-29631: Server-Side Request Forgery in Jodd HTTP

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-29631
GHSA ID
GHSA-pp3c-cf6j-m3ff
EPSS Score
0.11257%
CWE
CWE-74
Published
6/7/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jodd:jodd-httpmaven>= 5.0.0, < 6.2.16.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. The path() method used URLEncoder (which encodes spaces as '+' and doesn't handle CRLF) instead of proper percent-encoding via URLCoder, allowing injection in the request line.
  2. The send() method propagated these unencoded values into the final HTTP payload. The patch explicitly replaced URLEncoder with URLCoder.encodePath in the path() method and added CRLF injection tests, confirming these as the injection points. The GitHub issue's PoC demonstrates exploitation via these methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Jo** *TTP v*.*.* w*s *is*ov*r** to *ont*in multipl* *LR* inj**tion vuln*r**iliti*s vi* t** *ompon*nts jo**.*ttp.*ttpR*qu*st#s*t *n* `jo**.*ttp.*ttpR*qu*st#s*n*. T**s* vuln*r**iliti*s *llow *tt**k*rs to *x**ut* S*rv*r-Si** R*qu*st *or**ry (SSR*) vi* *

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. T** p*t*() m*t*o* us** URL*n*o**r (w*i** *n*o**s sp***s *s '+' *n* *o*sn't **n*l* *RL*) inst*** o* prop*r p*r**nt-*n*o*in* vi* URL*o**r, *llowin* inj**tion in t** r*qu*st lin*. *. T** s*n*() m*t*o*