GHSA-hvm9-wc8j-mgrc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hvm9-wc8j-mgrc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-hvm9-wc8j-mgrc/GHSA-hvm9-wc8j-mgrc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hvm9-wc8j-mgrc
- Published
- 2024-12-18T18:19:12Z
- Modified
- 2024-12-18T18:46:35.452868Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H CVSS Calculator
- Summary
- TShock Security Escalation Exploit
- Details
-
Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on
RemoteClientinstances after a player disconnects.Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the
ClientUUID#68packet during connection 4. The server assigns the sameRemoteClientobject that belonged to the originally authenticated player to the newly connected playerPatches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize() { On.Terraria.RemoteClient.Reset += RemoteClient_Reset; } private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client) { client.ClientUUID = null; orig(client); } - Database specific
{ "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2024-12-18T18:19:12Z", "severity": "HIGH", "cwe_ids": [ "CWE-305", "CWE-613", "CWE-863" ] }- References
Affected packages
NuGet / TShock
Package
- Name
- TShock
- View open source insights on deps.dev
- Purl
- pkg:nuget/TShock