GitHub Advisory DatabaseGHSA-PQP3-8RRW-G8VMPocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency
Impact
An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings.
Patches
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
Workarounds
- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.
- A plugin may also be able to workaround this issue by using
DataPacketReceiveEventto attempt detection of suspicious payloads. AnErrorExceptionwill be thrown in the crash case, which can be caught by plugins.
References
cweiske/jsonmapper#210
| CPE | Name | Operator | Version |
|---|---|---|---|
| pocketmine/pocketmine-mp | lt | 4.21.1 | |
| pocketmine/pocketmine-mp | lt | 4.20.5 |
References
github.com/advisories/GHSA-pqp3-8rrw-g8vm
github.com/cweiske/jsonmapper/pull/210
github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012
github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm