Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pqp3-8rrw-g8vm: PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

Impact

An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings.

Patches

The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.

Workarounds

  • Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.
  • A plugin may also be able to workaround this issue by using DataPacketReceiveEvent to attempt detection of suspicious payloads. An ErrorException will be thrown in the crash case, which can be caught by plugins.

References

cweiske/jsonmapper#210

ghsa
Open in Source
#vulnerability#js#git

PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

High severity GitHub Reviewed Published May 30, 2023 in pmmp/PocketMine-MP • Updated Jun 6, 2023

ghsa: Latest News

GHSA-83jg-m2pm-4jxj: Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
ghsa