CVE-2022-37724: 
Java vulnerability analysis and mitigation

Project Wonder WebObjects versions 1.0 through 5.4.3 are affected by an Arbitrary HTTP Header injection vulnerability and URL- or Header-based XSS reflection in all web-server adaptor interfaces. The vulnerability was discovered in August 2022 and affects the WebObjects web-server adaptors that handle communication between web servers and WebObjects application servers (Wonder Pull Request, WebObjects Blog).

The vulnerability exists in the WebObjects adaptors' URL parsing functionality. There are two methods of exploitation: 1) Through the WebObjects Version String in URLs (expected to appear as '.../WebObjects-4.exe/...') and 2) Through the trailing character sequence of the URL before the query string. The code fails to properly validate and sanitize URL components, allowing attackers to inject arbitrary HTTP headers and reflect malicious content. The vulnerability stems from unbounded version string lengths and lack of character filtering in URL processing (WebObjects Blog).

Successful exploitation could allow attackers to bypass IP-based DirectAction authorization by controlling REMOTE_ADDR headers, hijack user sessions and domain cookies through redirected XSS, create cloaking redirects awaiting user action, and chain with stored XSS in user forms to enable targeted phishing attacks. The vulnerability potentially enables unauthorized access to backend application servers by bypassing adaptor pre-filtering of content headers (WebObjects Blog).

The vulnerability has been patched in the Project Wonder repository. The fix includes restricting URL version components to a maximum of 6 characters, enforcing character set validation using regex [a-z0-9.-_]{1,5}, and adding URL validation to detect and block forbidden characters like 0x0D (carriage-return) or 0x0A (line-feed). Alternative mitigations include disabling URL decoding before query strings or implementing URL rewrites to block illegal characters (Wonder Pull Request, WebObjects Blog).