CVE-2022-1713

Published: May 16, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.

Affected (1)

Products: Diagrams: Drawio

Diagrams

1 product

Drawio

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Diagrams Drawio	Before 18.0.4

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee

Source: security@huntr.dev

PatchThird Party Advisory

https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11

Source: security@huntr.dev

ExploitPatchThird Party Advisory

https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.