Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mbTM1LWpnZzMtM2dyeM00Gg

NaN/INF in serverbound movement packets can crash clients and servers

Impact

A malicious client may send a MovePlayerPacket to the server whose position or rotation contains NaN or INF. Since neither the server nor vanilla client handles this properly, a number of interesting side effects come into play.

Patches

A patch for this was included in the 3.18.1 release: https://github.com/pmmp/PocketMine-MP/commit/fb20bb38327b4c08ee3976640cd0dd547388a638

Workarounds

Workarounds could be implemented as plugins using DataPacketReceiveEvent to block any inbound movement packets containing bogus values.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-fm35-jgg3-3grx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mbTM1LWpnZzMtM2dyeM00Gg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-fm35-jgg3-3grx
References: Repository: https://github.com/pmmp/PocketMine-MP
Blast Radius: 15.6

Affected Packages

packagist:pocketmine/pocketmine-mp
Dependent packages: 52
Dependent repositories: 120
Downloads: 53,716 total
Affected Version Ranges: <= 3.18.0
Fixed in: 3.18.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.16.0, 3.16.1, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.18.0
All unaffected versions: 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.24.0, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.25.6, 3.26.0, 3.26.1, 3.26.2, 3.26.3, 3.26.4, 3.26.5, 3.27.0, 3.28.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.12.8, 4.12.9, 4.12.10, 4.12.11, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.18.1, 4.18.2, 4.18.3, 4.18.4, 4.19.0, 4.19.1, 4.19.2, 4.19.3, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.21.0, 4.21.1, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.23.5, 4.23.6, 4.24.0, 4.25.0, 4.26.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.8.0, 5.8.1, 5.8.2, 5.9.0, 5.10.0, 5.11.0, 5.11.1, 5.11.2, 5.12.0, 5.12.1, 5.13.0, 5.14.0, 5.14.1