GHSA-42qm-8v8m-m78c – pocketmine/pocketmine-mp

Package

Manager: composer
Name: pocketmine/pocketmine-mp
Vulnerable Version: >=0 <4.18.0-alpha2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket' ### Impact A "mismatch" type `InventoryTransactionPacket` is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT). This is not currently known to have been exploited in the wild. ### Patches This problem was fixed in 4.18.0-ALPHA2 by ca6d51498f12427a947467da8fcad7811418e6cc alongside the introduction of the `ItemStackRequest` system implementation. ### Workarounds Plugins can handle `DataPacketReceiveEvent` for `InventoryTransactionPacket` and check if the type is `MismatchTransactionData`. If it is, apply some kind of rate limit (e.g. max 1 per tick).

Metadata

Created: 2023-06-01T19:10:40Z
Modified: 2023-06-01T19:10:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-42qm-8v8m-m78c/GHSA-42qm-8v8m-m78c.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F067
Auto approve: 1