CVE-2022-1379 — Server-Side Request Forgery in Plantuml

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.3%

top 48.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Plantuml Plantuml Plantuml Fedoraproject Fedora +1 more

Timeline

PublishedMay 14

Latest updateMay 15

Description

URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5. An attacker can abuse this to bypass URL restrictions that are imposed by the different security profiles and achieve server side request forgery (SSRF). This allows accessing restricted internal resources/servers or sending requests to third party servers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDplantuml/plantuml< 1.2022.5

▶CVEListV5plantuml/plantuml_plantumlunspecified — V1.2022.5

▶debiandebian/plantuml

Also affects: Fedora 35, 36

Patches

Patch: github.com ↗Patch: huntr.dev ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-8qqf-jx6g-2rcv: URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1↗2022-05-15

▶

OSV

CVE-2022-1379: URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1↗2022-05-14

▶

📋Vendor Advisories

Debian

CVE-2022-1379: plantuml - URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5...↗2022

▶