CVE-2022-1713 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2022-1713?

CVE-2022-1713 has a CVSS score of 7.5 (HIGH). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint of draw.io diagramming software. Attackers can exploit this to make requests from the server's perspective, potentially accessing internal resources and sensitive information. All users running draw.io versions prior to 18.0.4 are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint of draw.io diagramming software. Attackers can exploit this to make requests from the server's perspective, potentially accessing internal resources and sensitive information. All users running draw.io versions prior to 18.0.4 are affected.

💻 Affected Systems

Products:

draw.io diagramming software

Versions: All versions prior to 18.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both self-hosted and potentially cloud deployments where the /proxy endpoint is accessible.

📦 What is this software?

Drawio by Diagrams

View all CVEs affecting Drawio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources accessible to the server, including cloud metadata services, internal APIs, and sensitive data stores, potentially leading to full network penetration.

🟠

Likely Case

Information disclosure of internal services, including access to cloud instance metadata, internal APIs, and configuration files that could contain credentials or sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, restricting the server's ability to reach sensitive internal resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and tooling exists for automated exploitation. The vulnerability requires network access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.0.4 and later

Vendor Advisory: https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee

Restart Required: Yes

Instructions:

1. Update draw.io to version 18.0.4 or later. 2. Restart the draw.io service. 3. Verify the update by checking the version.

🔧 Temporary Workarounds

Disable /proxy endpoint

all

Remove or restrict access to the vulnerable /proxy endpoint if not required for functionality.

# Configuration depends on deployment method (Docker, standalone, etc.)

Network egress filtering

linux

Implement strict outbound firewall rules to limit the server's ability to reach internal resources.

# Example iptables rule to restrict outbound connections
# iptables -A OUTPUT -p tcp --dport 80 -j DROP
# iptables -A OUTPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate the draw.io server from sensitive internal resources.
Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests.

🔍 How to Verify

Check if Vulnerable:

Check if draw.io version is below 18.0.4 by accessing the application interface or checking package version.

Check Version:

# For Docker: docker exec <container_name> cat /usr/share/nginx/html/VERSION.txt
# For package: dpkg -l | grep draw.io or rpm -qa | grep draw.io

Verify Fix Applied:

Confirm version is 18.0.4 or higher and test the /proxy endpoint with controlled SSRF payloads to ensure it's blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /proxy endpoint with internal IP addresses or domains
Outbound connections from draw.io server to internal resources

Network Indicators:

HTTP requests from draw.io server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
Requests to cloud metadata endpoints (169.254.169.254)

SIEM Query:

source="drawio" AND (url_path="/proxy" OR dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254))

📊 Metadata

CVE ID: CVE-2022-1713

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: May 16, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee Patch,Third Party Advisory
https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11 Exploit,Patch,Third Party Advisory
https://github.com/jgraph/drawio/commit/283d41ec80ad410d68634245cf56114bc19331ee Patch,Third Party Advisory
https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1713, you might also want to check these: