{"id":"GHSA-pp3c-cf6j-m3ff","summary":"Server-Side Request Forgery in Jodd HTTP","details":"Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.","aliases":["CVE-2022-29631"],"modified":"2023-11-01T04:58:45.818539Z","published":"2022-06-07T00:00:31Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2022-06-07T21:14:24Z","severity":"HIGH","nvd_published_at":"2022-06-06T21:15:00Z","cwe_ids":["CWE-74","CWE-918"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29631"},{"type":"WEB","url":"https://github.com/oblac/jodd-http/issues/9"},{"type":"WEB","url":"https://github.com/oblac/jodd/issues/787"},{"type":"WEB","url":"https://github.com/oblac/jodd-http/commit/e50f573c8f6a39212ade68c6eb1256b2889fa8a6"},{"type":"PACKAGE","url":"https://github.com/oblac/jodd-http"}],"affected":[{"package":{"name":"org.jodd:jodd-http","ecosystem":"Maven","purl":"pkg:maven/org.jodd/jodd-http"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.0.0"},{"fixed":"6.2.1"}]}],"versions":["5.0.0","5.0.1","5.0.10","5.0.11","5.0.12","5.0.13","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.0.9","5.1.0","5.1.0-20190624","5.1.2","5.1.3","5.1.4","5.1.5","5.1.6","5.2.0","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.0.6","6.0.7","6.0.8","6.0.9","6.1.0","6.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pp3c-cf6j-m3ff/GHSA-pp3c-cf6j-m3ff.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}