CVE-2022-29631: Server-Side Request Forgery in Jodd HTTP

June 6, 2022 (updated May 14, 2024)

Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.

References

github.com/advisories/GHSA-pp3c-cf6j-m3ff
github.com/oblac/jodd-http/commit/e50f573c8f6a39212ade68c6eb1256b2889fa8a6
github.com/oblac/jodd-http/issues/9
github.com/oblac/jodd/issues/787
nvd.nist.gov/vuln/detail/CVE-2022-29631

Code Behaviors & Features

Detect and mitigate CVE-2022-29631 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →