CVE-2022-29631: 
Java vulnerability analysis and mitigation

Jodd HTTP v6.0.9 was discovered to contain multiple CRLF injection vulnerabilities in the components jodd.http.HttpRequest#set and jodd.http.HttpRequest#send. The vulnerability affects multiple versions including 5.0.x, 5.1.x, 5.2.x, 6.0.x, 6.1.x, and 6.2.x. This security issue was assigned CVE-2022-29631 and allows attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload (NVD, GitHub Issue).

The vulnerability exists in the HTTP request handling components where the path processing in HttpRequest#set() method calls this.path(destination) without properly sanitizing input. The implementation allows injection of \r\n sequences in query string, path, and fragment. Additionally, in HttpRequest#sendTo() method, this.buffer(true) is called to build the HTTP request payload, but path, query string, fragment and other components are appended insecurely, leading to CRLF injection. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, GitHub Issue).

The vulnerability allows remote attackers to inject arbitrary TCP payload via CRLF sequences in a URL. This can lead to Server-Side Request Forgery (SSRF) attacks, potentially allowing attackers to manipulate server requests and interact with internal systems that should not be accessible externally (NVD).

The recommended mitigation is to properly URL encode invalid characters when constructing the HTTP request payload. This includes implementing proper sanitization of input parameters, especially in the path, query string, and fragment components of URLs (GitHub Issue).