Vulnerability-Lookup

CVE-2023-35925 (GCVE-0-2023-35925)

Vulnerability from cvelistv5 – Published: 2023-06-23 15:07 – Updated: 2024-11-27 21:02

Title

FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption

Summary

FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.

Severity ?

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/IntellectualSites/FastAsyncWor…	x_refsource_CONFIRM
	https://github.com/IntellectualSites/FastAsyncWor…	x_refsource_MISC
	https://github.com/IntellectualSites/FastAsyncWor…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	IntellectualSites	FastAsyncWorldEdit	Affected: < 2.6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:37:40.084Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
          },
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
          },
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35925",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T21:02:44.922770Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T21:02:52.576Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FastAsyncWorldEdit",
          "vendor": "IntellectualSites",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-23T15:07:03.431Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
        },
        {
          "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
        },
        {
          "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
        }
      ],
      "source": {
        "advisory": "GHSA-whj9-m24x-qhhp",
        "discovery": "UNKNOWN"
      },
      "title": "FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-35925",
    "datePublished": "2023-06-23T15:07:03.431Z",
    "dateReserved": "2023-06-20T14:02:45.592Z",
    "dateUpdated": "2024-11-27T21:02:52.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-35925",
      "date": "2026-05-06",
      "epss": "0.00287",
      "percentile": "0.52039"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-35925\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-23T16:15:09.477\",\"lastModified\":\"2024-11-21T08:08:59.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intellectualsites:fastasyncworldedit:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6.3\",\"matchCriteriaId\":\"FC7A135E-1B28-4070-AB2D-14BAC7CD983D\"}]}]}],\"references\":[{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:37:40.084Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-35925\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T21:02:44.922770Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T21:02:49.017Z\"}}], \"cna\": {\"title\": \"FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption\", \"source\": {\"advisory\": \"GHSA-whj9-m24x-qhhp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"IntellectualSites\", \"product\": \"FastAsyncWorldEdit\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.6.3\"}]}], \"references\": [{\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\", \"name\": \"https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-23T15:07:03.431Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-35925\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T21:02:52.576Z\", \"dateReserved\": \"2023-06-20T14:02:45.592Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-23T15:07:03.431Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-35925

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-35925

Aliases

CVE-2023-35925

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-35925",
    "id": "GSD-2023-35925"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-35925"
      ],
      "details": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.",
      "id": "GSD-2023-35925",
      "modified": "2023-12-13T01:20:46.001978Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-35925",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "FastAsyncWorldEdit",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.6.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "IntellectualSites"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp",
            "refsource": "MISC",
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
          },
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
            "refsource": "MISC",
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
          },
          {
            "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
            "refsource": "MISC",
            "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-whj9-m24x-qhhp",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.6.3)",
          "affected_versions": "All versions before 2.6.3",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-07-03",
          "description": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.",
          "fixed_versions": [
            "2.6.3"
          ],
          "identifier": "CVE-2023-35925",
          "identifiers": [
            "CVE-2023-35925",
            "GHSA-whj9-m24x-qhhp"
          ],
          "not_impacted": "All versions starting from 2.6.3",
          "package_slug": "maven/com.fastasyncworldedit/FastAsyncWorldEdit-Bukkit",
          "pubdate": "2023-06-23",
          "solution": "Upgrade to version 2.6.3 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-35925",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
          ],
          "uuid": "cf9f03dc-753e-4ff5-9c71-0e944d38fd0e"
        },
        {
          "affected_range": "(,2.6.3)",
          "affected_versions": "All versions before 2.6.3",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-07-03",
          "description": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.",
          "fixed_versions": [
            "2.6.3"
          ],
          "identifier": "CVE-2023-35925",
          "identifiers": [
            "CVE-2023-35925",
            "GHSA-whj9-m24x-qhhp"
          ],
          "not_impacted": "All versions starting from 2.6.3",
          "package_slug": "maven/com.fastasyncworldedit/FastAsyncWorldEdit-Core",
          "pubdate": "2023-06-23",
          "solution": "Upgrade to version 2.6.3 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-35925",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
            "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
          ],
          "uuid": "7d004814-bdc6-433d-af94-7d262fb2bcfd"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:intellectualsites:fastasyncworldedit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-35925"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
            },
            {
              "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
            },
            {
              "name": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-03T20:46Z",
      "publishedDate": "2023-06-23T16:15Z"
    }
  }
}

GHSA-WHJ9-M24X-QHHP

Vulnerability from github – Published: 2023-06-22 20:00 – Updated: 2023-06-22 20:00

Summary

FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption

Details

Coordinated Disclosure Timeline

10.06.2023: Issue reported to IntellectualSites
11.06.2023: Issue is acknowledged
12.06.2023: Issue has been fixed
22.06.2023: Advisory has been published

Impacted version range

Before 2.6.3

Details

Proof of Concept

As a user, do the following:

Select position 1 via //pos1
Select position 2 adding the "Infinity" keyword via //pos2 Infinity
Execute any further operation.

The steps 1 and 2 are interchangeable.

Impact

Such a task has a possibility of bringing the performing server down.

CVE

CVE-2023-35925

Credit

This issue was discovered and reported by @SuperMonis.

Solution

On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.

Workarounds

There is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.

Additional Information

Users with access to the logs/ folder or shell access on their server can try to identify possible abuses of this issue by going through the logs. To sieve through the data, you can use the regex query \/\/pos[12] Infinity, then investigate all log entries that return results.

Disclosure Policy

If you discover a security vulnerability within our software, please report the issue according to our vulnerability disclosure policy.

Severity ?

6.2 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fastasyncworldedit:FastAsyncWorldEdit-Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fastasyncworldedit:FastAsyncWorldEdit-Bukkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T20:00:36Z",
    "nvd_published_at": "2023-06-23T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Coordinated Disclosure Timeline\n\n- 10.06.2023: Issue reported to IntellectualSites\n- 11.06.2023: Issue is acknowledged\n- 12.06.2023: Issue has been fixed\n- 22.06.2023: Advisory has been published\n\n### Impacted version range\n\nBefore 2.6.3\n\n### Details\n\n#### Proof of Concept\n\nAs a user, do the following:\n\n1. Select position 1 via `//pos1`\n2. Select position 2 adding the \"Infinity\" keyword via `//pos2 Infinity`\n3. Execute any further operation.\n\nThe steps 1 and 2 are interchangeable.\n\n#### Impact\n\nSuch a task has a possibility of bringing the performing server down.\n\n#### CVE\n\n- CVE-2023-35925\n\n#### Credit\n\nThis issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis.\n\n### Solution\n\nOn June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability.\nWe strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.\n\n### Workarounds\n\nThere is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.\n\n### Additional Information\n\nUsers with access to the `logs/` folder or shell access on their server can try to identify possible abuses of this issue by going through the logs.\nTo sieve through the data, you can use the regex query `\\/\\/pos[12] Infinity`, then investigate all log entries that return results.\n\n### Disclosure Policy\n\nIf you discover a security vulnerability within our software, please report the issue according to our [vulnerability disclosure policy](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md).",
  "id": "GHSA-whj9-m24x-qhhp",
  "modified": "2023-06-22T20:00:36Z",
  "published": "2023-06-22T20:00:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption"
}

FKIE_CVE-2023-35925

Vulnerability from fkie_nvd - Published: 2023-06-23 16:15 - Updated: 2024-11-21 08:08

Severity ?

6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285	Patch
security-advisories@github.com	https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3	Release Notes
security-advisories@github.com	https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	intellectualsites	fastasyncworldedit	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:intellectualsites:fastasyncworldedit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC7A135E-1B28-4070-AB2D-14BAC7CD983D",
              "versionEndExcluding": "2.6.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3."
    }
  ],
  "id": "CVE-2023-35925",
  "lastModified": "2024-11-21T08:08:59.337",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-23T16:15:09.477",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-35925 (GCVE-0-2023-35925)

GSD-2023-35925

GHSA-WHJ9-M24X-QHHP

Coordinated Disclosure Timeline

Impacted version range

Details

Proof of Concept

Impact

CVE

Credit

Solution

Workarounds

Additional Information

Disclosure Policy

FKIE_CVE-2023-35925

Tags

Sightings

Nomenclature