SSRF via IPv6 address 2 in jgraph/drawio

Valid

Reported on

May 15th 2022


Description

While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be done manually.

As I unfortunately did not catch this one in my previous report, I am dropping the bounty (setting CVSS to 0, and likewise the payout to 0) for this one.

Impact

SSRF

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
haxatron
a month ago

Researcher


Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report

David Benson
a month ago

Maintainer


Thanks, appreciate that. Fix is https://github.com/jgraph/drawio/commit/cc7e86d4df7cd52631adc98f45696acd0260f526

David Benson validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 7a68eb a month ago
The fix bounty has been dropped
to join this conversation