CVE-2022-1784

Name of the Vulnerable Software and Affected Versions drawio versions prior to 18.0.8

Description The issue is related to insufficient validation of incoming requests in the url.openConnection() function of the Embed2 servlet in the drawio diagram-building software. This can be exploited by a remote attacker to perform a Server-Side Request Forgery (SSRF) attack by sending a specially crafted HTTP request.

Recommendations For versions prior to 18.0.8, update to version 18.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the url.openConnection() function to minimize the risk of exploitation.