CVE-2022-1767 – This Server-Side Request Forgery (SSRF) vulnera... (How to Fix)

Q: What is the severity of CVE-2022-1767?

CVE-2022-1767 has a CVSS score of 7.5 (HIGH). This Server-Side Request Forgery (SSRF) vulnerability in draw.io allows attackers to make unauthorized requests from the server to internal systems. It affects users running draw.io versions prior to 18.0.7, potentially exposing internal network resources to external attackers.

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in draw.io allows attackers to make unauthorized requests from the server to internal systems. It affects users running draw.io versions prior to 18.0.7, potentially exposing internal network resources to external attackers.

💻 Affected Systems

Products:

draw.io diagramming software

Versions: All versions prior to 18.0.7

Operating Systems: All platforms running draw.io

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both self-hosted and potentially cloud deployments depending on configuration.

📦 What is this software?

Drawio by Diagrams

View all CVEs affecting Drawio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data from internal systems, or perform attacks against internal infrastructure using the server as a proxy.

🟠

Likely Case

Information disclosure from internal services, scanning of internal networks, or accessing metadata services in cloud environments.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and public details exist in the bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.0.7

Vendor Advisory: https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf

Restart Required: Yes

Instructions:

1. Update draw.io to version 18.0.7 or later. 2. Restart the draw.io service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network egress filtering

all

Restrict outbound connections from the draw.io server to only necessary external services

Reverse proxy restrictions

all

Configure reverse proxy to block requests to internal IP ranges and sensitive URLs

🧯 If You Can't Patch

Implement strict network segmentation to isolate draw.io server from sensitive internal systems
Deploy web application firewall (WAF) rules to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check draw.io version - if below 18.0.7, the system is vulnerable

Check Version:

Check application version in UI or configuration files

Verify Fix Applied:

Confirm version is 18.0.7 or higher and test SSRF functionality is blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from draw.io server
Requests to internal IP addresses or metadata services

Network Indicators:

Unexpected traffic from draw.io server to internal services
Requests to cloud metadata endpoints

SIEM Query:

source="drawio" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16 OR dest_ip=169.254.169.254)

📊 Metadata

CVE ID: CVE-2022-1767

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: May 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf Patch,Third Party Advisory
https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868 Exploit,Third Party Advisory
https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf Patch,Third Party Advisory
https://huntr.dev/bounties/b1ce040c-9ed1-4d36-9b48-82df42310868 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1767, you might also want to check these: