GHSA-h87r-f4vc-mchv – pocketmine/pocketmine-mp

Package

Manager: composer
Name: pocketmine/pocketmine-mp
Vulnerable Version: >=0 <4.18.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash ### Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild. ### Patches This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1. ### Workarounds Handle `InventoryTransactionPacket` in `DataPacketReceiveEvent`, and verify that the item count dropped isn't more than the available item count. However, it's complicated to do this, so it's not recommended.

Metadata

Created: 2023-06-06T01:51:09Z
Modified: 2023-06-06T01:51:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-h87r-f4vc-mchv/GHSA-h87r-f4vc-mchv.json
CWE IDs: []
Alternative ID: N/A
Finding: F184
Auto approve: 1