GHSA-8jq6-w5cg-wm45
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8jq6-w5cg-wm45
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-8jq6-w5cg-wm45/GHSA-8jq6-w5cg-wm45.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8jq6-w5cg-wm45
- Published
- 2020-11-11T21:38:18Z
- Modified
- 2024-12-02T05:47:11.219050Z
- Summary
- Exploitable inventory component chaining in PocketMine-MP
- Details
-
Impact
Specially crafted
InventoryTransactionPackets sent by malicious clients were able to exploit the behaviour ofInventoryTransaction->findResultItem()and cause it to take an abnormally long time to execute (causing an apparent server freeze).The affected code is intended to compact conflicting
InventoryActionswhich are in the sameInventoryTransactionby flattening them into a single action. When multiple pathways to a result existed, the complexity of this flattening became exponential.The problem was fixed by bailing when ambiguities are detected.
At the time of writing, this exploit is being used in the wild by attackers to deny service to servers.
Patches
Upgrade to 3.15.4 or newer.
Workarounds
No practical workarounds are possible, short of backporting the fix or implementing checks in a plugin listening to
DataPacketReceiveEvent.References
c368ebb5e74632bc622534b37cd1447b97281e20
For more information
If you have any questions or comments about this advisory: * Email us at team@pmmp.io
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-11-11T21:38:07Z" }- References
Affected packages
Packagist / pocketmine/pocketmine-mp
Package
- Name
- pocketmine/pocketmine-mp
- Purl
- pkg:composer/pocketmine/pocketmine-mp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.15.4