Lucene search

GitHub_MCVELIST:CVE-2022-39221

HistorySep 20, 2022 - 11:25 p.m.

CVE-2022-39221 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') McWebserver Minecraft Mod

2022-09-2023:25:08

CWE-22

GitHub_M

www.cve.org

cve-2022-39221

path traversal

mcwebserver

minecraft mod

fabric

quilt

forge

http

server

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

51.6%

JSON

McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the mods directory.

CNA Affected

[
  {
    "product": "McWebserver",
    "vendor": "J-onasJones",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.2.0"
      }
    ]
  }
]

References

github.com/J-onasJones/McWebserver/pull/1

github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

51.6%

JSON

Related for CVELIST:CVE-2022-39221