GHSA-g5rr-p69h-7v3g: Insufficient type validation in pocketmine/pocketmine-mp
(updated )
When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don’t match, the transaction is invalid.
This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the CanDestroy tag).
References
- github.com/advisories/GHSA-g5rr-p69h-7v3g
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md
- github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2
- github.com/pmmp/PocketMine-MP/releases/tag/4.2.9
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g
Code Behaviors & Features
Detect and mitigate GHSA-g5rr-p69h-7v3g with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →