GHSA-92jh-gwch-jq38

Source

https://github.com/advisories/GHSA-92jh-gwch-jq38

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-92jh-gwch-jq38/GHSA-92jh-gwch-jq38.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-92jh-gwch-jq38

Published

2023-09-14T17:10:37Z

Modified

2024-11-28T05:41:15.644859Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

Details

Impact

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.

This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.

Code processing arrays in the JSON data could then crash due to unexpected NULL elements.

Patches

This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c

An upstream patch for this issue was proposed via https://github.com/cweiske/jsonmapper/pull/211; however, as of 2024-05-15, the patch has not been accepted upstream due to debate about how to deal with the behavior. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.

Workarounds

A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it's not expected, but this is rather cumbersome.

References

Proposed upstream patch for a behavior change: https://github.com/cweiske/jsonmapper/pull/211

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-14T17:10:37Z"
}

References

Affected packages

Packagist / pocketmine/pocketmine-mp

Package

Name: pocketmine/pocketmine-mp
Purl: pkg:composer/pocketmine/pocketmine-mp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.3.1

Affected versions

5.*

5.0.0

5.0.1

5.1.0

5.1.1

5.1.2

5.1.3

5.2.0

5.2.1

5.3.0

Database specific

{
    "last_known_affected_version_range": "<= 5.3.0"
}

Packagist / pocketmine/pocketmine-mp

Package

Name: pocketmine/pocketmine-mp
Purl: pkg:composer/pocketmine/pocketmine-mp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.23.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0

3.4.1

3.4.2

3.4.3

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.10.0

3.10.1

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.12.0

3.12.1

3.12.2

3.12.3

3.12.4

3.12.5

3.12.6

3.13.0

3.13.1

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.16.0

3.16.1

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.17.5

3.17.6

3.17.7

3.18.0

3.18.1

3.18.2

3.19.0

3.19.1

3.19.2

3.19.3

3.20.0

3.21.0

3.21.1

3.22.0

3.22.1

3.22.2

3.22.3

3.22.4

3.22.5

3.23.0

3.23.1

3.24.0

3.25.0

3.25.1

3.25.2

3.25.3

3.25.4

3.25.5

3.25.6

3.26.0

3.26.1

3.26.2

3.26.3

3.26.4

3.26.5

3.27.0

3.28.0

4.*

4.0.0-BETA1

4.0.0-BETA2

4.0.0-BETA3

4.0.0-BETA4

4.0.0-BETA5

4.0.0-BETA6

4.0.0-BETA7

4.0.0-BETA8

4.0.0-BETA9

4.0.0-BETA10

4.0.0-BETA11

4.0.0-BETA12

4.0.0-BETA13

4.0.0-BETA14

4.0.0-BETA15

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.1.0-BETA1

4.1.0-BETA2

4.1.0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.4.0-BETA1

4.4.0

4.4.1

4.4.2

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1

4.6.2

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.1

4.9.0

4.9.1

4.10.0

4.10.1

4.10.2

4.11.0-BETA1

4.11.0-BETA2

4.11.0

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.12.7

4.12.8

4.12.9

4.12.10

4.12.11

4.13.0-BETA1

4.13.0

4.14.0

4.14.1

4.15.0

4.15.1

4.15.2

4.15.3

4.16.0-BETA1

4.16.0-BETA2

4.16.0

4.17.0

4.17.1

4.17.2

4.18.0-ALPHA1

4.18.0-ALPHA2

4.18.0

4.18.1

4.18.2

4.18.3

4.18.4

4.19.0

4.19.1

4.19.2

4.19.3

4.20.0

4.20.1

4.20.2

4.20.3

4.20.4

4.20.5

4.21.0

4.21.1

4.22.0

4.22.1

4.22.2

4.22.3

4.23.0

Database specific

{
    "last_known_affected_version_range": "<= 4.23.0"
}