SB2022122901 - Multiple vulnerabilities in PocketMine-MP

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application allows unauthenticated connections to take up player count slots, preventing players from joining the game. A remote attacker can consume all available connection slots and perform a denial of service attack.

2) Resource exhaustion (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in session handling when processing connection attempts that do not send a LoginPacket. A remote attacker can create multiple unauthenticated sessions and keep them open to cause a denial of service.

Unauthenticated sessions are counted toward the max-players check until a 10-second login timeout is reached, which can cause legitimate players to be disconnected immediately when they attempt to join.

Remediation

Install update from vendor's website.

References

• https://github.com/pmmp/PocketMine-MP/releases/tag/4.12.3
• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-474q-9hgp-hcvx
• https://github.com/advisories/GHSA-474q-9hgp-hcvx