GHSA-8JQ6-W5CG-WM45
Vulnerability from github – Published: 2020-11-11 21:38 – Updated: 2020-11-11 21:38Impact
Specially crafted InventoryTransactionPackets sent by malicious clients were able to exploit the behaviour of InventoryTransaction->findResultItem() and cause it to take an abnormally long time to execute (causing an apparent server freeze).
The affected code is intended to compact conflicting InventoryActions which are in the same InventoryTransaction by flattening them into a single action. When multiple pathways to a result existed, the complexity of this flattening became exponential.
The problem was fixed by bailing when ambiguities are detected.
At the time of writing, this exploit is being used in the wild by attackers to deny service to servers.
Patches
Upgrade to 3.15.4 or newer.
Workarounds
No practical workarounds are possible, short of backporting the fix or implementing checks in a plugin listening to DataPacketReceiveEvent.
References
c368ebb5e74632bc622534b37cd1447b97281e20
For more information
If you have any questions or comments about this advisory: * Email us at team@pmmp.io
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-11-11T21:38:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nSpecially crafted `InventoryTransactionPacket`s sent by malicious clients were able to exploit the behaviour of `InventoryTransaction-\u003efindResultItem()` and cause it to take an abnormally long time to execute (causing an apparent server freeze).\n\nThe affected code is intended to compact conflicting `InventoryActions` which are in the same `InventoryTransaction` by flattening them into a single action. When multiple pathways to a result existed, the complexity of this flattening became exponential.\n\nThe problem was fixed by bailing when ambiguities are detected.\n\n**At the time of writing, this exploit is being used in the wild by attackers to deny service to servers.**\n\n### Patches\nUpgrade to 3.15.4 or newer.\n\n### Workarounds\nNo practical workarounds are possible, short of backporting the fix or implementing checks in a plugin listening to `DataPacketReceiveEvent`.\n\n### References\nc368ebb5e74632bc622534b37cd1447b97281e20\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)",
"id": "GHSA-8jq6-w5cg-wm45",
"modified": "2020-11-11T21:38:07Z",
"published": "2020-11-11T21:38:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-8jq6-w5cg-wm45"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Exploitable inventory component chaining in PocketMine-MP"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.