SSRF via IPv6 address 2 in jgraph/drawio

Valid

Reported on

May 15th 2022

Description

While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be done manually.

As I unfortunately did not catch this one in my previous report, I am dropping the bounty (setting CVSS to 0, and likewise the payout to 0) for this one.

Impact

SSRF

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago

haxatron

commented a month ago

Researcher

Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report

David Benson

commented a month ago

Maintainer

Thanks, appreciate that. Fix is https://github.com/jgraph/drawio/commit/cc7e86d4df7cd52631adc98f45696acd0260f526

David Benson validated this vulnerability a month ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

David Benson confirmed that a fix has been merged on 7a68eb a month ago

The fix bounty has been dropped

to join this conversation

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago

haxatron

commented a month ago

Researcher

Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report

David Benson

commented a month ago

Maintainer

Thanks, appreciate that. Fix is https://github.com/jgraph/drawio/commit/cc7e86d4df7cd52631adc98f45696acd0260f526

David Benson validated this vulnerability a month ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

David Benson confirmed that a fix has been merged on 7a68eb a month ago

The fix bounty has been dropped

to join this conversation