GHSA-j5qg-w9jg-3wg3 – pocketmine/pocketmine-mp

Package

Manager: composer
Name: pocketmine/pocketmine-mp
Vulnerable Version: >=0 <4.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Inability to de-op players if listed in ops.txt with non-lowercase letters ### Impact Originally reported in iTXTech/Genisys#1188 ```txt PotterHarry98 potterharry98 ``` `deop PotterHarry98` will remove `potterharry98` from the ops.txt but not `PotterHarry98`. Operator permissions are checked using `Config->exists()` with `lowercase=true`, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449 This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters. ### Patches 4d37b79ff7f9d9452e988387f97919a9a1c4954e ### Workarounds This can be easily addressed by removing the offending lines from ops.txt manually. ### For more information If you have any questions or comments about this advisory: * Open an issue in [pmmp/PocketMine-MP](https://github.com/pmmp/PocketMine-MP) * Email us at [team@pmmp.io](mailto:team@pmmp.io)

Metadata

Created: 2021-12-16T18:53:57Z
Modified: 2021-12-16T15:47:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-j5qg-w9jg-3wg3/GHSA-j5qg-w9jg-3wg3.json
CWE IDs: []
Alternative ID: N/A
Finding: F113
Auto approve: 1