Security Advisories - pocketmine/pocketmine-mp

pocketmine/pocketmine-mp Security Advisories for 4.10.2 (13)

[LOW] PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state

PKSA-t7y4-spmt-39ct GHSA-f9jp-856v-8642

Affected version: <5.39.2

Reported by:
GitHub
[MEDIUM] PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`

PKSA-yw3m-b28c-y6hc GHSA-7hmv-4j2j-pp6f

Affected version: <5.39.2

Reported by:
GitHub
[HIGH] PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

PKSA-cnjv-js4w-1xcs GHSA-788v-5pfp-93ff

Affected version: <5.39.2

Reported by:
GitHub
[HIGH] PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket

PKSA-h4z5-fb6q-736p GHSA-h6rj-3m53-887h

Affected version: <5.41.1

Reported by:
GitHub
[HIGH] PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking

PKSA-gsjv-vrbx-n6br GHSA-fqqv-56h5-f57g

Affected version: <5.32.1

Reported by:
GitHub
[MEDIUM] PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()

PKSA-1y47-vhgh-zq2y GHSA-g274-c6jj-h78p

Affected version: <5.25.2

Reported by:
GitHub
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

PKSA-7cft-g1hs-ddc8 GHSA-h6j3-j35f-v2x7

Affected version: <5.11.1

Reported by:
GitHub
[HIGH] PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

PKSA-krv9-c6mg-smc2 GHSA-xc7j-wj36-qjfr

Affected version: <5.11.2

Reported by:
GitHub
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

PKSA-nv2r-zxzd-wzsw GHSA-92jh-gwch-jq38

Affected version: <=4.23.0|>=5.0.0,<=5.3.0

Reported by:
GitHub
[HIGH] PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

PKSA-rjb4-mbc7-gvrq CVE-2023-7332 GHSA-h87r-f4vc-mchv

Affected version: <4.18.1

Reported by:
GitHub
[HIGH] PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

PKSA-mdrw-7xfy-3575 GHSA-pqp3-8rrw-g8vm

Affected version: >=4.21.0,<4.21.1|<4.20.5

Reported by:
GitHub
[MEDIUM] PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

PKSA-3mjs-tbmc-n317 GHSA-42qm-8v8m-m78c

Affected version: <4.18.0-ALPHA2

Reported by:
GitHub
[MEDIUM] PocketMine-MP vulnerable to denial-of-service by sending large modal form responses

PKSA-6mdv-sgnk-4jgv GHSA-7m9r-rq9j-wmmh

Affected version: <4.12.5

Reported by:
GitHub

pocketmine/pocketmine-mp Security Advisories for 4.10.2 (13)

[LOW] PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state

[MEDIUM] PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`

[HIGH] PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

[HIGH] PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket

[HIGH] PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking

[MEDIUM] PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()

[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

[HIGH] PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

[HIGH] PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

[HIGH] PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

[MEDIUM] PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

[MEDIUM] PocketMine-MP vulnerable to denial-of-service by sending large modal form responses