Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oODdyLWY0dmMtbWNods4AAzpK
PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash
Impact
In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar.
This did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild.
Patches
This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1.
Workarounds
Handle InventoryTransactionPacket
in DataPacketReceiveEvent
, and verify that the item count dropped isn't more than the available item count. However, it's complicated to do this, so it's not recommended.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oODdyLWY0dmMtbWNods4AAzpK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-h87r-f4vc-mchv
References:
- https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv
- https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2
- https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181
- https://github.com/advisories/GHSA-h87r-f4vc-mchv
Blast Radius: 15.6
Affected Packages
packagist:pocketmine/pocketmine-mp
Dependent packages: 52Dependent repositories: 120
Downloads: 53,716 total
Affected Version Ranges: < 4.18.1
Fixed in: 4.18.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.16.0, 3.16.1, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.24.0, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.25.6, 3.26.0, 3.26.1, 3.26.2, 3.26.3, 3.26.4, 3.26.5, 3.27.0, 3.28.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.12.8, 4.12.9, 4.12.10, 4.12.11, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0, 4.17.0, 4.17.1, 4.17.2, 4.18.0
All unaffected versions: 4.18.1, 4.18.2, 4.18.3, 4.18.4, 4.19.0, 4.19.1, 4.19.2, 4.19.3, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.21.0, 4.21.1, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.23.5, 4.23.6, 4.24.0, 4.25.0, 4.26.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.8.0, 5.8.1, 5.8.2, 5.9.0, 5.10.0, 5.11.0, 5.11.1, 5.11.2, 5.12.0, 5.12.1, 5.13.0, 5.14.0, 5.14.1