Lucene search

[email protected]CVE-2023-37262

HistoryJul 07, 2023 - 9:15 p.m.

CVE-2023-37262

2023-07-0721:15:09

CWE-918

[email protected]

web.nvd.nist.gov

cc tweaked

minecraft

mod

cve-2023-37262

unauthorized access

sensitive information

metadata servers

cloud hosting

aws

gcp

azure

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.8%

JSON

CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka “blacklisted”) by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.

Affected configurations

Vulners

NVD

Node

cc-tweakedcc_tweakedRange<1.16.5-1.101.3

cc-tweakedcc_tweakedRange1.17.0–1.18.2-1.101.3

cc-tweakedcc_tweakedRange1.19.0–1.19.2-1.101.3

cc-tweakedcc_tweakedRange1.19.3–1.19.4-1.106.0

cc-tweakedcc_tweakedRange1.20.0–1.20.1-1.106.0

CPENameOperatorVersion
tweaked:cc-tweakedtweaked cc-tweakedlt1.16.5-1.101.3
tweaked:cc-tweakedtweaked cc-tweakedlt1.18.2-1.101.3
tweaked:cc-tweakedtweaked cc-tweakedlt1.19.2-1.101.3
tweaked:cc-tweakedtweaked cc-tweakedlt1.19.4-1.106.0
tweaked:cc-tweakedtweaked cc-tweakedlt1.20.1-1.106.0

CPE	Name	Operator	Version
tweaked:cc-tweaked	tweaked cc-tweaked	lt	1.16.5-1.101.3
tweaked:cc-tweaked	tweaked cc-tweaked	lt	1.18.2-1.101.3
tweaked:cc-tweaked	tweaked cc-tweaked	lt	1.19.2-1.101.3
tweaked:cc-tweaked	tweaked cc-tweaked	lt	1.19.4-1.106.0
tweaked:cc-tweaked	tweaked cc-tweaked	lt	1.20.1-1.106.0

CNA Affected

[
  {
    "vendor": "cc-tweaked",
    "product": "CC-Tweaked",
    "versions": [
      {
        "version": "< 1.16.5-1.101.3",
        "status": "affected"
      },
      {
        "version": ">= 1.17.0, < 1.18.2-1.101.3",
        "status": "affected"
      },
      {
        "version": ">= 1.19.0, < 1.19.2-1.101.3",
        "status": "affected"
      },
      {
        "version": ">= 1.19.3, < 1.19.4-1.106.0",
        "status": "affected"
      },
      {
        "version": ">= 1.20.0, < 1.20.1-1.106.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/cc-tweaked/CC-Tweaked/blob/96847bb8c28df51e5e49f2dd2978ff6cc4e2821b/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L116-L126

github.com/cc-tweaked/CC-Tweaked/commit/4bbde8c50c00bc572578ab2cff609b3443d10ddf

github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-7p4w-mv69-2wm2

github.com/dan200/ComputerCraft/issues/170

github.com/MightyPirates/OpenComputers/security/advisories/GHSA-vvfj-xh7c-j2cm

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.8%

JSON

Related for CVE-2023-37262

nvd1 prion1 cvelist1 osv2