GMS-2023-1798: PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency
Impact
An attacker could crash the server by sending malformed JWT JSON in LoginPacket
due to a security vulnerability in netresearch/jsonmapper
, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings.
Patches
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
Workarounds
- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.
- A plugin may also be able to workaround this issue by using
DataPacketReceiveEvent
to attempt detection of suspicious payloads. AnErrorException
will be thrown in the crash case, which can be caught by plugins.
References
cweiske/jsonmapper#210
References
- github.com/advisories/GHSA-pqp3-8rrw-g8vm
- github.com/cweiske/jsonmapper/pull/210
- github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm
- github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012
Detect and mitigate GMS-2023-1798 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →