GHSA-H6J3-J35F-V2X7

Vulnerability from github – Published: 2024-03-06 17:02 – Updated: 2024-05-15 14:30
VLAI?
Summary
PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)
Details

Impact

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.

netresearch/jsonmapper allows objects to be hydrated from scalar types in JSON. However, due to the lack of validation in the code for this feature, it may output improperly initialized objects if applied to objects whose constructors don't handle the input values.

Code handling these objects in PocketMine-MP could then crash due to @required properties not being set within the objects.

In addition, because JsonMapper does not respect bStrictObjectTypes when processing arrays, it's not possible to avoid the issue by disabling the feature.

Due to the relatively high number of security issues arising from unexpected behaviour in JsonMapper, the team is exploring options to replace it.

Patches

In the meantime, the issue was fixed by pmmp/netresearch-jsonmapper@b96a209f9e8b76b899a0d0918493cd87eb3c02a7 and 6872661fd03649cc7a8762c41c16e9ee5a4de1c9.

Workarounds

Detecting the malicious data that triggers this issue is of rather high difficulty, so it's not likely that a plugin would be able to easily remediate this.

References

https://github.com/cweiske/jsonmapper/pull/225 https://github.com/cweiske/jsonmapper/issues/226

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pocketmine/pocketmine-mp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T17:02:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.\n\n[netresearch/jsonmapper](https://github.com/cweiske/JsonMapper) allows objects to be hydrated from scalar types in JSON. However, due to the lack of validation in the code for this feature, it may output improperly initialized objects if applied to objects whose constructors don\u0027t handle the input values.\n\nCode handling these objects in PocketMine-MP could then crash due to `@required` properties not being set within the objects.\n\nIn addition, because JsonMapper does not respect `bStrictObjectTypes` when processing arrays, it\u0027s not possible to avoid the issue by disabling the feature.\n\nDue to the relatively high number of security issues arising from unexpected behaviour in JsonMapper, the team is exploring options to replace it.\n\n### Patches\nIn the meantime, the issue was fixed by pmmp/netresearch-jsonmapper@b96a209f9e8b76b899a0d0918493cd87eb3c02a7 and 6872661fd03649cc7a8762c41c16e9ee5a4de1c9.\n\n### Workarounds\nDetecting the malicious data that triggers this issue is of rather high difficulty, so it\u0027s not likely that a plugin would be able to easily remediate this.\n\n### References\nhttps://github.com/cweiske/jsonmapper/pull/225\nhttps://github.com/cweiske/jsonmapper/issues/226\n",
  "id": "GHSA-h6j3-j35f-v2x7",
  "modified": "2024-05-15T14:30:10Z",
  "published": "2024-03-06T17:02:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6j3-j35f-v2x7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cweiske/jsonmapper/issues/226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cweiske/jsonmapper/pull/225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/PocketMine-MP/commit/6872661fd03649cc7a8762c41c16e9ee5a4de1c9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/netresearch-jsonmapper/commit/b96a209f9e8b76b899a0d0918493cd87eb3c02a7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pmmp/PocketMine-MP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.