Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25304: Path traversal during manual mrpack installation

Prism Launcher <= 6.1 is vulnerable to Directory Traversal.

CVE
Open in Source
#vulnerability

Impact

Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Remote attacks are unlikely due to format restrictions on the modrinth.com platform.

As this vulnerability allows for arbitrary code execution, compromise of confidentiality, integrity and availability are all at a high risk.

Patches

Patched in 6.2 release
#810
#815

Workarounds

Avoid importing .mrpack files from untrusted sources.

References

https://docs.modrinth.com/docs/modpacks/format_definition/#files

Related news

CVE-2023-25305: Five vulnerabilities found in mrpack installer implementations

PolyMC Launcher <= 1.4.3 is vulnerable to Directory Traversal. A mrpack file can be maliciously crafted to create arbitrary files outside of the installation directory.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE