pocketmine/pocketmine-mp 中的类型验证不足

CVE编号

N/A

利用情况

暂无

补丁情况

N/A

披露时间

2022-04-23

漏洞描述

When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the CanDestroy tag). This is fixed in 4.2.9 by commit 5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2. It's non-trivial to workaround this, but can be done by handling InventoryTransactionPacket and PlayerAuthInputPacket to scrub inbound transaction data of bogus NBT that would cause these crashes.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/advisories/GHSA-g5rr-p69h-7v3g

CVSS3评分 7.5

• 攻击路径 N/A
• 攻击复杂度 N/A
• 权限要求 N/A
• 影响范围 N/A
• 用户交互 N/A
• 可用性 N/A
• 保密性 N/A
• 完整性 N/A

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-ID	漏洞类型
CWE-1287	Improper Validation of Specified Type of Input
CWE-20	输入验证不恰当

Exp相关链接

- avd.aliyun.com