Lucene search

GoogleOSV:GHSA-R887-GFXH-M9RR

HistoryFeb 08, 2023 - 6:07 p.m.

mrpack-install vulnerable to path traversal with dependency

2023-02-0818:07:16

Google

osv.dev

vulnerable

path traversal

dependency

malicious

download

scripts

config files

arbitrary locations

user noticing

patches

workarounds

untrusted sources

modrinth

modpacks

software

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

27.0%

JSON

Impact

Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.

Patches

No patches yet.

Workarounds

Avoid importing .mrpack files from untrusted sources.

References

https://docs.modrinth.com/docs/modpacks/format_definition/#files

References

github.com/nothub/mrpack-install

github.com/nothub/mrpack-install/commit/a1f424b6a616d2de95228781eef3b92b9769f23c

github.com/nothub/mrpack-install/releases/tag/v0.16.3

github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr

nvd.nist.gov/vuln/detail/CVE-2023-25307

quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

27.0%

JSON

Related for OSV:GHSA-R887-GFXH-M9RR