CVE-2023-7332: PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash
(updated )
In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar.
This did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild.
References
- github.com/advisories/GHSA-h87r-f4vc-mchv
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md
- github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv
- nvd.nist.gov/vuln/detail/CVE-2023-7332
- www.cve.org/cverecord?id=CVE-2023-7332
- www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash
Code Behaviors & Features
Detect and mitigate CVE-2023-7332 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →