logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-35925 com.fastasyncworldedit:fastasyncworldedit-core

Package

Manager: maven
Name: com.fastasyncworldedit:fastasyncworldedit-core
Vulnerable Version: >=0 <2.6.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00242 pctl0.47389

Details

FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption ### Coordinated Disclosure Timeline - 10.06.2023: Issue reported to IntellectualSites - 11.06.2023: Issue is acknowledged - 12.06.2023: Issue has been fixed - 22.06.2023: Advisory has been published ### Impacted version range Before 2.6.3 ### Details #### Proof of Concept As a user, do the following: 1. Select position 1 via `//pos1` 2. Select position 2 adding the "Infinity" keyword via `//pos2 Infinity` 3. Execute any further operation. The steps 1 and 2 are interchangeable. #### Impact Such a task has a possibility of bringing the performing server down. #### CVE - CVE-2023-35925 #### Credit This issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis. ### Solution On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible. ### Workarounds There is no direct mitigation besides updating FastAsyncWorldEdit to a patched version. ### Additional Information Users with access to the `logs/` folder or shell access on their server can try to identify possible abuses of this issue by going through the logs. To sieve through the data, you can use the regex query `\/\/pos[12] Infinity`, then investigate all log entries that return results. ### Disclosure Policy If you discover a security vulnerability within our software, please report the issue according to our [vulnerability disclosure policy](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md).

Metadata

Created: 2023-06-22T20:00:36Z
Modified: 2023-06-22T20:00:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-whj9-m24x-qhhp/GHSA-whj9-m24x-qhhp.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-whj9-m24x-qhhp
Finding: F067
Auto approve: 1