{"id":"CVE-2022-1379","summary":"URL Restriction Bypass in plantuml/plantuml","details":"URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5. An attacker can abuse this to bypass URL restrictions that are imposed by the different security profiles and achieve server side request forgery (SSRF). This allows accessing restricted internal resources/servers or sending requests to third party servers.","modified":"2026-04-11T22:13:43.065037Z","published":"2022-05-14T09:55:09Z","related":["openSUSE-SU-2024:12080-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1379.json","cna_assigner":"@huntrdev","cwe_ids":["CWE-918"]},"references":[{"type":"WEB","url":"https://huntr.dev/bounties/0d737527-86e1-41d1-9d37-b2de36bc063a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1379.json"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHUE4G5CAJUD7L2QPJF6U4JYQTP7CNNL/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4DP36G2VBOZUNQIUZ5LVJKZIVO4SDAI/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1379"},{"type":"FIX","url":"https://github.com/plantuml/plantuml/commit/93e5964e5f35914f3f7b89de620c596795550083"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plantuml/plantuml","events":[{"introduced":"0"},{"fixed":"229a6129e2473da8227f5138f26edbb352e38376"}]}],"versions":["v1.2017.12","v1.2017.13","v1.2017.14","v1.2017.15","v1.2017.17","v1.2017.18","v1.2017.19","v1.2017.20","v1.2018.0","v1.2018.1","v1.2018.10","v1.2018.11","v1.2018.12","v1.2018.13","v1.2018.14","v1.2018.2","v1.2018.3","v1.2018.4","v1.2018.5","v1.2018.6","v1.2018.7","v1.2018.8","v1.2018.9","v1.2019.0","v1.2019.1","v1.2019.10","v1.2019.11","v1.2019.12","v1.2019.13","v1.2019.2","v1.2019.4","v1.2019.5","v1.2019.6","v1.2019.7","v1.2019.8","v1.2019.9","v1.2020.0","v1.2020.1","v1.2020.10","v1.2020.11","v1.2020.12","v1.2020.13","v1.2020.14","v1.2020.15","v1.2020.16","v1.2020.17","v1.2020.18","v1.2020.19","v1.2020.2","v1.2020.20","v1.2020.21","v1.2020.22","v1.2020.23","v1.2020.24","v1.2020.26","v1.2020.3","v1.2020.4","v1.2020.6","v1.2020.7","v1.2020.8","v1.2020.9","v1.2021.0","v1.2021.1","v1.2021.10","v1.2021.12","v1.2021.13","v1.2021.14","v1.2021.15","v1.2021.16","v1.2021.2","v1.2021.3","v1.2021.4","v1.2021.5","v1.2021.6","v1.2021.7","v1.2021.8","v1.2021.9","v1.2022.0","v1.2022.1","v1.2022.2","v1.2022.3","v1.2022.4","v2017.08","v2017.09","v2017.11","v8059"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:13:43Z","vanir_signatures":[{"id":"CVE-2022-1379-93b7683b","source":"https://github.com/plantuml/plantuml/commit/229a6129e2473da8227f5138f26edbb352e38376","signature_version":"v1","signature_type":"Line","target":{"file":"test/net/sourceforge/plantuml/security/SURLTest.java"},"digest":{"threshold":0.9,"line_hashes":["196264472814800741060603148441232717978","276534186818838624058782349229553771726","228068663217648557685707576066358518591","132462165622317319281114704777089076480","274810568477027801438125860551311888240","289304651679670439044352821383488975628","180908644323663739383706755014823285724"]},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1379.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}