An attacker could crash the server by sending malformed JWT JSON in LoginPacket
due to a security vulnerability in netresearch/jsonmapper
, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings.
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
DataPacketReceiveEvent
to attempt detection of suspicious payloads. An ErrorException
will be thrown in the crash case, which can be caught by plugins.cweiske/jsonmapper#210
CPE | Name | Operator | Version |
---|---|---|---|
pocketmine/pocketmine-mp | lt | 4.21.1 | |
pocketmine/pocketmine-mp | lt | 4.20.5 |
github.com/advisories/GHSA-pqp3-8rrw-g8vm
github.com/cweiske/jsonmapper/pull/210
github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012
github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm