Headline
GHSA-92jh-gwch-jq38: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)
Impact
An attacker could crash the server by sending malformed JWT JSON in LoginPacket
due to a security vulnerability in netresearch/jsonmapper
, due to accepting NULL
values in arrays whose types do not expect NULL
.
Patches
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c
Workarounds
A plugin may handle DataPacketReceiveEvent
for LoginPacket
and check that none of the input arrays contain NULL
where it’s not expected, but this is rather cumbersome.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-92jh-gwch-jq38
PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)
High severity GitHub Reviewed Published Sep 13, 2023 in pmmp/PocketMine-MP • Updated Sep 14, 2023
Package
composer pocketmine/pocketmine-mp (Composer)
Affected versions
>= 5.0.0, <= 5.3.0
<= 4.23.0
Patched versions
5.3.1
4.23.1
Impact
An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to accepting NULL values in arrays whose types do not expect NULL.
Patches
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8d
Workarounds
A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it’s not expected, but this is rather cumbersome.
References
- GHSA-92jh-gwch-jq38
- pmmp/netresearch-jsonmapper@4f90e8d
Published to the GitHub Advisory Database
Sep 14, 2023
Last updated
Sep 14, 2023