Описание
mrpack-install vulnerable to path traversal with dependency
Impact
Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Patches
No patches yet.
Workarounds
Avoid importing .mrpack files from untrusted sources.
References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
Ссылки
- https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr
- https://nvd.nist.gov/vuln/detail/CVE-2023-25307
- https://github.com/nothub/mrpack-install/commit/a1f424b6a616d2de95228781eef3b92b9769f23c
- https://github.com/nothub/mrpack-install/releases/tag/v0.16.3
- https://quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities
Пакеты
Наименование
github.com/nothub/mrpack-install
go
Затронутые версииВерсия исправления
<= 0.16.2
0.16.3
Связанные уязвимости
CVSS3: 7.8
nvd
больше 2 лет назад
nothub mrpack-install <= v0.16.2 is vulnerable to Directory Traversal.