SSRF via IPv6 address 2 in jgraph/drawio
Valid
Reported on
May 15th 2022
Description
While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be done manually.
As I unfortunately did not catch this one in my previous report, I am dropping the bounty (setting CVSS to 0, and likewise the payout to 0) for this one.
Impact
SSRF
We are processing your report and will contact the
jgraph/drawio
team within 24 hours.
a month ago
Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report
Thanks, appreciate that. Fix is https://github.com/jgraph/drawio/commit/cc7e86d4df7cd52631adc98f45696acd0260f526
The researcher's credibility has increased: +7
The fix bounty has been dropped
to join this conversation