GHSA-xh99-hw7h-wf63
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xh99-hw7h-wf63
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-xh99-hw7h-wf63/GHSA-xh99-hw7h-wf63.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xh99-hw7h-wf63
- Published
- 2022-01-13T22:25:44Z
- Modified
- 2024-12-04T05:57:55.810575Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Unchecked validity of Facing values in PlayerActionPacket
- Details
-
Impact
A remote attacker may crash a server by sending
PlayerActionPacketwith invalid facing values (e.g. negative), specifically withSTART_BREAKorCRACK_BLOCKactions, or with aUseItemTransactionData(typically inInventoryTransactionPacket).Patches
f126479c37ff00a717a828f5271cf8e821d12d6c
Workarounds
Using a plugin, cancel
DataPacketReceiveEventif the packet isPlayerActionPacketand the facing is outside the range 0-5 when receiving STARTBREAK or CRACKBLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases.For more information
If you have any questions or comments about this advisory: * Email us at team@pmmp.io
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-01-13T22:08:36Z" }- References
Affected packages
Packagist / pocketmine/pocketmine-mp
Package
- Name
- pocketmine/pocketmine-mp
- Purl
- pkg:composer/pocketmine/pocketmine-mp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0.6
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.14.3
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.16.0
3.16.1
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.18.0
3.18.1
3.18.2
3.19.0
3.19.1
3.19.2
3.19.3
3.20.0
3.21.0
3.21.1
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0
3.23.1
3.24.0
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4
3.25.5
3.25.6
3.26.0
3.26.1
3.26.2
3.26.3
3.26.4
3.26.5
3.27.0
3.28.0
4.*
4.0.0-BETA1
4.0.0-BETA2
4.0.0-BETA3
4.0.0-BETA4
4.0.0-BETA5
4.0.0-BETA6
4.0.0-BETA7
4.0.0-BETA8
4.0.0-BETA9
4.0.0-BETA10
4.0.0-BETA11
4.0.0-BETA12
4.0.0-BETA13
4.0.0-BETA14
4.0.0-BETA15
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5