CVE-2022-1575 Arbitrary Code Execution in versions < 18.0.0 #988
davidjgraph
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
v18.0.0 fixes a vulnerability in versions < 18.0.0 that could allow arbitary code execution. This is a critical vulnerability and all users are encouraged to update as soon as possible.
jgraph/drawio#2791 describes the incident in more detail. The key improvement we will implement on the desktop app is #987.
Blocking unsafe-inline has proved very effective against JS injection attacks on app.diagrams.net. We will implement that and publish another release shortly.
After that, we will review the process isolation between the main and rendering process. We have a specific protocol for comms between the two, but there has to be a way to allow for the rendering process to read/write file contents.
Feedback and questions always welcome.
Beta Was this translation helpful? Give feedback.
All reactions