Headline
CVE-2022-24300: Build software better, together
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.
Package
No package listed
Affected versions
<=5.3.0
Impact
If a mod saves user input in an ItemStack’s metadata, then this can be abused by an attacker to add or modify other meta fields of the same item stack.
What this allows depends on what mods do with the meta data:
- If a mod uses meta to match keys with doors/chests, then this issue would allow attackers to craft keys to match any door/chest.
- Some mods create items from item meta, which would allow attackers to get unlimited quantities of arbitrary items.
- Denial of Service attacks.
Patches
b5956bd
Workarounds
It is recommended that you update to Minetest 5.4+ or cherry-pick the patch.
Alternatively, you can workaround this issue by removing control characters before setting ItemStack meta:
value = value:gsub("[\x01\x02\x03]", “”) meta:set_string("key", value)
GHSA ID
GHSA-hwj2-xf72-r4cf
CVSS Score
8.2 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H