GHSA-wjfq-88q2-r34j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wjfq-88q2-r34j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wjfq-88q2-r34j/GHSA-wjfq-88q2-r34j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wjfq-88q2-r34j
- Published
- 2022-01-21T23:02:14Z
- Modified
- 2024-12-05T05:24:41.871593Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Unhandled exception when decoding form response JSON
- Details
-
Impact
When handling form responses from the client (
ModalFormResponsePacket), the Minecraft Windows client may send weird JSON thatjson_decode()can't understand. A workaround for this is implemented inInGamePacketHandler::stupid_json_decode().An
InvalidArgumentExceptionis thrown by this function when it fails to fix an error found in the JSON, which is not caught by the caller. This leads to a server crash.Patches
56fe71d939c38fe14e18a31a673a9331bcc0e4ca
Workarounds
A plugin may handle
DataPacketReceiveEvent, captureModalFormResponsePacketand run the provided JSON throughstupid_json_decode.Note that this requires copying the body of the function to a plugin, since the function is currently private.
For more information
If you have any questions or comments about this advisory: * Email us at team@pmmp.io
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-01-21T21:16:09Z" }- References
Affected packages
Packagist / pocketmine/pocketmine-mp
Package
- Name
- pocketmine/pocketmine-mp
- Purl
- pkg:composer/pocketmine/pocketmine-mp