GHSA-92jh-gwch-jq38

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-92jh-gwch-jq38/GHSA-92jh-gwch-jq38.json

Published

2023-09-14T17:10:37Z

Modified

2023-09-14T17:18:07.847271Z

Details

Impact

An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to accepting NULL values in arrays whose types do not expect NULL.

Patches

This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c

Workarounds

A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it's not expected, but this is rather cumbersome.

References

Affected packages

Packagist / pocketmine/pocketmine-mp

Source Details

Package Name: pocketmine/pocketmine-mp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.3.1

Affected versions

5.*

5.0.0

5.0.1

5.1.0

5.1.1

5.1.2

5.1.3

5.2.0

5.2.1

5.3.0

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Database specific

{
    "last_known_affected_version_range": "<= 5.3.0"
}

Packagist / pocketmine/pocketmine-mp

Source Details

Package Name: pocketmine/pocketmine-mp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.23.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0

3.4.1

3.4.2

3.4.3

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.10.0

3.10.1

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.12.0

3.12.1

3.12.2

3.12.3

3.12.4

3.12.5

3.12.6

3.13.0

3.13.1

3.14.0

3.14.1

3.14.2

3.14.3

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.16.0

3.16.1

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.17.5

3.17.6

3.17.7

3.18.0

3.18.1

3.18.2

3.19.0

3.19.1

3.19.2

3.19.3

3.20.0

3.21.0

3.21.1

3.22.0

3.22.1

3.22.2

3.22.3

3.22.4

3.22.5

3.23.0

3.23.1

3.24.0

3.25.0

3.25.1

3.25.2

3.25.3

3.25.4

3.25.5

3.25.6

3.26.0

3.26.1

3.26.2

3.26.3

3.26.4

3.26.5

3.27.0

3.28.0

4.*

4.0.0-BETA1

4.0.0-BETA2

4.0.0-BETA3

4.0.0-BETA4

4.0.0-BETA5

4.0.0-BETA6

4.0.0-BETA7

4.0.0-BETA8

4.0.0-BETA9

4.0.0-BETA10

4.0.0-BETA11

4.0.0-BETA12

4.0.0-BETA13

4.0.0-BETA14

4.0.0-BETA15

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.1.0-BETA1

4.1.0-BETA2

4.1.0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.4.0-BETA1

4.4.0

4.4.1

4.4.2

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1

4.6.2

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.8.1

4.9.0

4.9.1

4.10.0

4.10.1

4.10.2

4.11.0-BETA1

4.11.0-BETA2

4.11.0

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.12.7

4.12.8

4.12.9

4.12.10

4.12.11

4.13.0-BETA1

4.13.0

4.14.0

4.14.1

4.15.0

4.15.1

4.15.2

4.15.3

4.16.0-BETA1

4.16.0-BETA2

4.16.0

4.17.0

4.17.1

4.17.2

4.18.0-ALPHA1

4.18.0-ALPHA2

4.18.0

4.18.1

4.18.2

4.18.3

4.18.4

4.19.0

4.19.1

4.19.2

4.19.3

4.20.0

4.20.1

4.20.2

4.20.3

4.20.4

4.20.5

4.21.0

4.21.1

4.22.0

4.22.1

4.22.2

4.22.3

4.23.0

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Database specific

{
    "last_known_affected_version_range": "<= 4.23.0"
}