GHSA-wqqv-jcfr-9f5g: PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash
(updated )
DyeColorIdMap->fromId() did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened.
References
- github.com/advisories/GHSA-wqqv-jcfr-9f5g
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php
- github.com/pmmp/PocketMine-MP/commit/08b9495bce2d65a6d1d3eeb76e484499a00765eb
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-wqqv-jcfr-9f5g
Code Behaviors & Features
Detect and mitigate GHSA-wqqv-jcfr-9f5g with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →