Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yODg3LWdmeGgtbTlycs4AAxfQ
mrpack-install vulnerable to path traversal with dependency
Impact
Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Patches
No patches yet.
Workarounds
Avoid importing .mrpack files from untrusted sources.
References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
Permalink: https://github.com/advisories/GHSA-r887-gfxh-m9rrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yODg3LWdmeGgtbTlycs4AAxfQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-r887-gfxh-m9rr, CVE-2023-25307
References:
- https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr
- https://github.com/nothub/mrpack-install/commit/a1f424b6a616d2de95228781eef3b92b9769f23c
- https://github.com/nothub/mrpack-install/releases/tag/v0.16.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-25307
- https://quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities/
- https://github.com/advisories/GHSA-r887-gfxh-m9rr
Blast Radius: 1.0
Affected Packages
go:github.com/nothub/mrpack-install
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.16.2
Fixed in: 0.16.3
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2
All unaffected versions: 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 0.16.8, 0.16.9, 0.16.10, 0.17.0