Lucene search

GitHub Advisory DatabaseGHSA-R887-GFXH-M9RR

HistoryFeb 08, 2023 - 6:07 p.m.

mrpack-install vulnerable to path traversal with dependency

2023-02-0818:07:16

CWE-22

GitHub Advisory Database

github.com

mrpack-install

path traversal

dependency

modrinth

files

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

27.0%

JSON

Impact

Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.

Patches

No patches yet.

Workarounds

Avoid importing .mrpack files from untrusted sources.

References

https://docs.modrinth.com/docs/modpacks/format_definition/#files

Affected configurations

Vulners

Node

nothubmrpack-installRange≤0.16.2

VendorProductVersionCPE
nothubmrpack-install*cpe:2.3:a:nothub:mrpack-install:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nothub	mrpack-install	*	cpe:2.3:a:nothub:mrpack-install::::::::

References

github.com/advisories/GHSA-r887-gfxh-m9rr

github.com/nothub/mrpack-install/commit/a1f424b6a616d2de95228781eef3b92b9769f23c

github.com/nothub/mrpack-install/releases/tag/v0.16.3

github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr

nvd.nist.gov/vuln/detail/CVE-2023-25307

quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

27.0%

JSON

Related for GHSA-R887-GFXH-M9RR