Описание
PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in LoginPacket due to vulnerable dependency
Impact
An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.
This happened due to a bug in netresearch/jsonmapper. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.
Patches
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
Workarounds
- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.
- A plugin may also be able to workaround this issue by using
DataPacketReceiveEventto attempt detection of suspicious payloads. AnErrorExceptionwill be thrown in the crash case, which can be caught by plugins.
References
cweiske/jsonmapper#210
Ссылки
- https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm
- https://github.com/cweiske/jsonmapper/pull/210
- https://github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2
- https://github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012
Пакеты
Наименование
pocketmine/pocketmine-mp
composer
Затронутые версииВерсия исправления
< 4.20.5
4.20.5
Наименование
pocketmine/pocketmine-mp
composer
Затронутые версииВерсия исправления
>= 4.21.0, < 4.21.1
4.21.1
7.5 High
CVSS3
7.5 High
CVSS3