SSRF via IPv6 address 2 in jgraph/drawio
Reported on
May 15th 2022
Description
While searching online, I found that https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be done manually.
As I unfortunately did not catch this one in my previous report, I am dropping the bounty (setting CVSS to 0, and likewise the payout to 0) for this one.
Impact
SSRF
Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report
Thanks, appreciate that. Fix is https://github.com/jgraph/drawio/commit/cc7e86d4df7cd52631adc98f45696acd0260f526