{"id":"CVE-2022-3065","summary":"Improper Access Control in jgraph/drawio","details":"Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.","modified":"2026-04-11T23:15:02.508933Z","published":"2022-09-02T18:15:12Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/3xxx/CVE-2022-3065.json","cna_assigner":"@huntrdev","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://huntr.dev/bounties/5f3bc4b6-1d53-46b7-a23d-70f5faaf0c76"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/3xxx/CVE-2022-3065.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3065"},{"type":"FIX","url":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jgraph/drawio","events":[{"introduced":"0"},{"fixed":"59887e45b36f06c8dd4919a32bacd994d9f084da"}]}],"versions":["v11.1.5","v11.2.0","v11.2.1","v11.2.2","v11.2.4","v11.2.5","v11.2.6","v11.2.7","v11.2.8","v11.2.9","v11.3.0","v11.3.1","v11.3.2","v12.0.0","v12.1.0","v12.1.1","v12.1.2","v12.1.3","v12.1.4","v12.1.5","v12.1.6","v12.1.7","v12.1.8","v12.1.9","v12.2.0","v12.2.1","v12.2.2","v12.2.3","v12.2.4","v12.2.7","v12.2.8","v12.2.9","v12.3.0","v12.3.1","v12.3.2","v12.3.3","v12.3.4","v12.3.5","v12.3.6","v12.3.7","v12.3.9","v12.4.0","v12.4.1","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.5.0","v12.5.1","v12.5.2","v12.5.3","v12.5.4","v12.5.5","v12.5.7","v12.5.8","v12.6.1","v12.6.3","v12.6.4","v12.6.5","v12.6.7","v12.6.8","v12.7.0","v12.7.1","v12.7.2","v12.7.3","v12.7.4","v12.7.8","v12.7.9","v12.8.0","v12.8.1","v12.8.2","v12.8.3","v12.8.5","v12.8.6","v12.9.1","v12.9.10","v12.9.11","v12.9.12","v12.9.13","v12.9.14","v12.9.2","v12.9.3","v12.9.4","v12.9.5","v12.9.6","v12.9.7","v12.9.8","v12.9.9","v13.0.0","v13.0.1","v13.0.2","v13.0.3","v13.0.4","v13.0.6","v13.0.7","v13.0.8","v13.0.9","v13.1.1","v13.1.13","v13.1.14","v13.1.2","v13.1.3","v13.1.4","v13.1.7","v13.1.8","v13.1.9","v13.10.0","v13.10.1","v13.10.2","v13.10.4","v13.10.5","v13.10.6","v13.10.9","v13.11.0","v13.2.0","v13.2.1","v13.2.2","v13.2.3","v13.2.4","v13.2.5","v13.3.0","v13.3.1","v13.3.3","v13.3.4","v13.3.5","v13.3.6","v13.3.7","v13.3.8","v13.3.9","v13.4.0","v13.4.1","v13.4.2","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9","v13.5.0","v13.5.1","v13.5.2","v13.5.3","v13.5.4","v13.5.5","v13.5.6","v13.5.7","v13.5.8","v13.5.9","v13.6.0","v13.6.1","v13.6.10","v13.6.2","v13.6.3","v13.6.4","v13.6.5","v13.6.6","v13.6.7","v13.6.8","v13.6.9","v13.7.0","v13.7.2","v13.7.3","v13.7.4","v13.7.5","v13.7.6","v13.7.7","v13.7.8","v13.7.9","v13.8.0","v13.8.1","v13.8.2","v13.8.3","v13.8.5","v13.8.6","v13.8.7","v13.8.8","v13.8.9","v13.9.0","v13.9.1","v13.9.4","v13.9.5","v13.9.7","v13.9.8","v13.9.9","v14.0.0","v14.0.1","v14.0.2","v14.0.3","v14.0.4","v14.1.0","v14.1.1","v14.1.2","v14.1.3","v14.1.4","v14.1.5","v14.1.7","v14.1.8","v14.1.9","v14.2.2","v14.2.3","v14.2.4","v14.2.5","v14.2.6","v14.2.7","v14.2.8","v14.2.9","v14.3.0","v14.3.1","v14.3.2","v14.4.0","v14.4.2","v14.4.3","v14.4.4","v14.4.5","v14.4.6","v14.4.7","v14.4.8","v14.4.9","v14.5.0","v14.5.1","v14.5.2","v14.5.4","v14.5.5","v14.5.6","v14.5.7","v14.5.9","v14.6.0","v14.6.10","v14.6.13","v14.6.2","v14.6.5","v14.6.6","v14.6.8","v14.6.9","v14.7.0","v14.7.1","v14.7.10","v14.7.2","v14.7.3","v14.7.4","v14.7.5","v14.7.6","v14.7.7","v14.7.8","v14.7.9","v14.8.0","v14.8.2","v14.8.3","v14.8.4","v14.8.5","v14.8.6","v14.9.0","v14.9.1","v14.9.2","v14.9.3","v14.9.4","v14.9.5","v14.9.6","v14.9.7","v14.9.9","v15.0.0","v15.0.1","v15.0.2","v15.0.3","v15.0.4","v15.0.5","v15.0.6","v15.1.0","v15.1.1","v15.1.2","v15.1.3","v15.1.4","v15.2.0","v15.2.1","v15.2.2","v15.2.5","v15.2.6","v15.2.7","v15.2.9","v15.3.0","v15.3.1","v15.3.2","v15.3.3","v15.3.4","v15.3.5","v15.3.6","v15.3.7","v15.3.8","v15.4.0","v15.4.1","v15.4.2","v15.4.3","v15.5.0","v15.5.1","v15.5.2","v15.5.4","v15.5.5","v15.5.7","v15.5.8","v15.5.9","v15.6.0","v15.6.1","v15.6.2","v15.6.3","v15.6.4","v15.6.5","v15.6.6","v15.6.8","v15.7.0","v15.7.1","v15.7.2","v15.7.3","v15.7.4","v15.8.0","v15.8.1","v15.8.3","v15.8.4","v15.8.5","v15.8.6","v15.8.7","v15.8.8","v15.8.9","v15.9.1","v15.9.3","v15.9.4","v15.9.5","v15.9.6","v16.0.0","v16.0.2","v16.0.3","v16.1.0","v16.1.2","v16.1.3","v16.1.4","v16.2.1","v16.2.2","v16.2.3","v16.2.4","v16.2.6","v16.2.7","v16.3.0","v16.4.0","v16.4.11","v16.4.3","v16.4.5","v16.4.7","v16.4.8","v16.5.1","v16.5.2","v16.5.3","v16.5.4","v16.5.6","v16.6.0","v16.6.1","v16.6.2","v16.6.3","v16.6.4","v16.6.5","v16.6.6","v16.6.7","v16.6.8","v17.0.0","v17.1.0","v17.1.1","v17.1.2","v17.1.3","v17.1.4","v17.1.5","v17.2.1","v17.2.2","v17.2.3","v17.2.4","v17.2.5","v17.3.0","v17.4.0","v17.4.1","v17.4.2","v17.4.3","v17.5.1","v18.0.0","v18.0.1","v18.0.2","v18.0.3","v18.0.4","v18.0.5","v18.0.6","v18.0.7","v18.0.8","v18.1.1","v18.1.2","v18.1.3","v18.2.0","v18.2.1","v19.0.0","v19.0.1","v19.0.2","v19.0.3","v20.0.0","v20.0.1","v20.0.2","v20.0.3","v20.0.4","v20.1.1","v20.1.4","v20.2.0","v20.2.1","v20.2.3","v20.2.5","v20.2.6","v20.2.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3065.json","vanir_signatures_modified":"2026-04-11T23:15:02Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"CVE-2022-3065-06e4f91d","digest":{"line_hashes":["297983236862601165162787118241350983496","133035404098511831773598258515486418724","212846912982100851464022957389897577831","32011423035349666097510197413558946531","109112847926717724002180184610925242363","100973255290288092485116936733497852829","340038873403744728254404263329399700015","174938571958385037303856608928420524177","311389738974490431870229755008694800129","55347842852159006705121042050227110491","83978588605010645430415588439349008990","218372034107510732116404861408431682443","16494419807435874779104973885105030122","28690038051724391867905572630846110829","40476685730975843371065815345167508907","298858127178227798993449599869642660093","337206035943752135576863116377705752749","86040464160842229292572306902721907048","314407095552115460216069433762297564549","286990117545344243044723900401037855821","141142719025590306306861712860538540807"],"threshold":0.9},"target":{"file":"src/main/java/com/mxgraph/online/Utils.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-33b09ffa","digest":{"function_hash":"96961156035401870364042402541247912108","length":1719},"target":{"function":"main","file":"etc/build/Xml2Js.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-35936aed","digest":{"function_hash":"8041084678674978518112558486823271164","length":1111},"target":{"function":"encodeToChar","file":"etc/build/Xml2Js.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-58f8041d","digest":{"function_hash":"313266798093428268168576267760669496741","length":3379},"target":{"function":"doGet","file":"src/main/java/com/mxgraph/online/ProxyServlet.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"CVE-2022-3065-8e4a47b0","digest":{"line_hashes":["6785300618005244835590464136920187191","225471474582133882768362654400264699066","543102805368430631406794047061206683","222753208587775605867005668593013685261","157302413686732045262754988371867421215","2409321213793600073268484550200101423","3748345803253937438363150908059431424","334095477408192524693396741044497736820","333074141710635353878506192750459148821","220923117417108136404831396530146730070","331777700304274504875345992146850816227","92369655465345351816362398917822910578","265189683334862732081892700231238945554","180925912375447681660140934576471811157","212020884842230654191485434782427439439","85301004613514657601829287190636999081","320952603635065900274109981844396957809","331895422944685206421642923240621563545","233391726559323997763420646506788023785","83851613445884570417618405524943993854","216942005804950694385631626916314475224","174208482129194807258718743164878794832","5800817682951581055551851812981817729","203827527768763910254532795752425599484","276626413321479180097228216966277627587","239315845419584444762237605349801951607","311257320123997839656570907469728989133","170604929371976252973301422446046783768","101388915085864148968652460542918466045","28020380684217053910171162195320734404","227755341161553335816271717946109703226","91886026009388238977033732407003471552","136664239850481066558056863348874677001"],"threshold":0.9},"target":{"file":"src/main/java/com/mxgraph/online/ProxyServlet.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"CVE-2022-3065-abd08571","digest":{"line_hashes":["233577614699527743564682273421804057270","221191585921726678159445291503670485834","299603866859328349950744412835134267454","273409930919550499013518914655277389417","122093480619065885840978521812142053258","262604939318127126324245210226742791515","236149320160318680032094546286122451148","280448962555398978864303675593450648920","98396121281711410203296941214906655555","321806190087610122616234049102488856873","189091165997832564983778620583609300097","237386385920045882619988158451408857178","47941094952644171411889798337040029681","339283951833588204599223065479697045835","248269219522147313286561959993382843992","103966679695511622651573860557880848602","256809434073643629002423510677503740432","94037708131410420735416239993527799246","123668655185339834248107967079993858075","281398392442023563082981425248851428670","142609906106253567952313931900095078886","95295751230956113367010770846088973438","173830108560791312116902361945251504221","237514152212320358775719985449898560772","121157210281151847609433117383222873927","153963781256889667250556959393627393659","45861170089771701835298862530253235289","235957020993296968228632044740142644116","318711834747898961126936434948560613965","142198869142466117076191409932409282130","196616920651455204409280109635477049561","137736253312572466384264248803546532368","18740559563418698498478619718099439883","177280045930692335782057791343349900770","179922939558126653811930465427667734144","105388939113232575444328528482173382868","264589555106172830531656658305434349395","174456559205099181560883226315682767116","63557398941820050497709364754628594575","183382724266282038155095381810588423694","273805920861973310662999498116627870641","263431443634750266788546208064691998972","82552240235073817749531416522673072573","320212708465011619674082529115899305156","278886173721646755045037169398002909313","242840361321130068658275950424531870686","333737538173695269293870346721731949889","334148294203493625613572525015547245707","252560100670120748707043842508198053307","5056344363273608289097006222117105440","328929089709809609281664264923418236879","36042973620110671241003223896278137984","65105102227156922836621161824576920636","318938905857733503356770383446234304295","280865377667360368664291392442566914292","321166796859239684721166982259003388433","14886297428902376420118698787299788505","231528823673802003450724962903432837571","95023694615599038565222238739543872041","251543409376299449510658140338911171547","223074958479687279755332080807399873529","140041284791679889559147102995910035078","249910471601094001864904573284108904439","90218585991818013391230549386593302824","317788341191277961308047512883952986471","284901134845394111769449375959535839346"],"threshold":0.9},"target":{"file":"etc/build/Xml2Js.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-d27fd853","digest":{"function_hash":"266565511375680158299356772915967862353","length":1546},"target":{"function":"sanitizeUrl","file":"src/main/java/com/mxgraph/online/Utils.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-d8b01d3c","digest":{"function_hash":"278864591542633513335048423535207941747","length":614},"target":{"function":"processFile","file":"etc/build/Xml2Js.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"CVE-2022-3065-e5e79b8a","digest":{"function_hash":"138275637415824010497911215082306960773","length":98},"target":{"function":"encodeToString","file":"etc/build/Xml2Js.java"},"source":"https://github.com/jgraph/drawio/commit/59887e45b36f06c8dd4919a32bacd994d9f084da"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}