Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nNXJyLXA2OWgtN3YzZ80_qQ

Insufficient type validation in pocketmine/pocketmine-mp

When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the CanDestroy tag). This is fixed in 4.2.9 by commit 5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2. It's non-trivial to workaround this, but can be done by handling InventoryTransactionPacket and PlayerAuthInputPacket to scrub inbound transaction data of bogus NBT that would cause these crashes.

Permalink: https://github.com/advisories/GHSA-g5rr-p69h-7v3g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNXJyLXA2OWgtN3YzZ80_qQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-g5rr-p69h-7v3g
References: Repository: https://github.com/pmmp/PocketMine-MP

Affected Packages

packagist:pocketmine/pocketmine-mp
Dependent packages: 52
Dependent repositories: 120
Downloads: 52,674 total
Affected Version Ranges: < 4.2.9
Fixed in: 4.2.9
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.16.0, 3.16.1, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.24.0, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.25.6, 3.26.0, 3.26.1, 3.26.2, 3.26.3, 3.26.4, 3.26.5, 3.27.0, 3.28.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8
All unaffected versions: 4.2.9, 4.2.10, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.12.8, 4.12.9, 4.12.10, 4.12.11, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.18.1, 4.18.2, 4.18.3, 4.18.4, 4.19.0, 4.19.1, 4.19.2, 4.19.3, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.21.0, 4.21.1, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.23.5, 4.23.6, 4.24.0, 4.25.0, 4.26.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.8.0, 5.8.1, 5.8.2, 5.9.0, 5.10.0, 5.11.0, 5.11.1, 5.11.2, 5.12.0, 5.12.1, 5.13.0