CVE-2022-29631 - OpenCVE

Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jodd	Jodd Http

Configuration 1 [-]

cpe:2.3:a:jodd:jodd_http:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/oblac/jodd-http/issues/9
https://github.com/oblac/jodd/issues/787

History

Fri, 16 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jodd jodd Http
CPEs	cpe:2.3:a:jodd:http::::::::	cpe:2.3:a:jodd:jodd_http::::::::
Vendors & Products	Jodd http	Jodd jodd Http

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-06-06T20:03:03

Updated: 2024-08-03T06:26:06.555Z

Reserved: 2022-04-25T00:00:00

Link: CVE-2022-29631

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-06T21:15:08.697

Modified: 2024-08-16T16:11:20.603

Link: CVE-2022-29631

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-06T20:03:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/oblac/jodd/issues/787"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/oblac/jodd-http/issues/9"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-29631", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/oblac/jodd/issues/787", "refsource": "MISC", "url": "https://github.com/oblac/jodd/issues/787"}, {"name": "https://github.com/oblac/jodd-http/issues/9", "refsource": "MISC", "url": "https://github.com/oblac/jodd-http/issues/9"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:26:06.555Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oblac/jodd/issues/787"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oblac/jodd-http/issues/9"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-29631", "datePublished": "2022-06-06T20:03:03", "dateReserved": "2022-04-25T00:00:00", "dateUpdated": "2024-08-03T06:26:06.555Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jodd:jodd_http:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA7523BB-2371-44AA-873B-3006F18A8653", "versionEndExcluding": "6.2.1", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload."}, {"lang": "es", "value": "Se ha detectado que Jodd HTTP versi\u00f3n 6.0.9, contiene m\u00faltiples vulnerabilidades de inyecci\u00f3n CLRF por medio de los componentes jodd.http.HttpRequest#set y \"jodd.http.HttpRequest#send. Estas vulnerabilidades permiten a atacantes ejecutar vulnerabilidades de tipo Server-Side Request Forgery (SSRF) por medio de una carga \u00fatil TCP dise\u00f1ada"}], "id": "CVE-2022-29631", "lastModified": "2024-08-16T16:11:20.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-06T21:15:08.697", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/oblac/jodd-http/issues/9"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/oblac/jodd/issues/787"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}