SB2023091373 - Multiple vulnerabilities in PocketMine-MP

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in LoginPacket identityPublicKey handling when processing login packets containing a public key on an incorrect elliptic curve or a non-EC key. A remote attacker can send a specially crafted login packet to cause a denial of service.

The issue is triggered after the login chain is successfully verified, when ECDH key derivation encounters a client-provided key that does not belong to the server's curve.

2) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in LoginPacket processing when parsing malformed JWT JSON. A remote attacker can send a specially crafted LoginPacket to cause a denial of service.

The issue is related to acceptance of NULL values in arrays whose types do not expect NULL.

Remediation

Install update from vendor's website.

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-79rc-jjh6-rc89
• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38