#VU18662 Improper access control in Dynmap
Vulnerability identifier: #VU18662
Vulnerability risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Dynmap
Client/Desktop applications /
Games
Vendor: Webbukkit
Description
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to a missing login check in "servlet/MapStorageHandler.java". A remote attacker can see a map image without login despite an enabled "login-required" setting.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Dynmap: 3.0 beta-3
External links
http://github.com/webbukkit/dynmap/commit/641f142cd3ccdcbfb04eda3059be22dd9ed93783
http://github.com/webbukkit/dynmap/issues/2474
http://github.com/webbukkit/dynmap/pull/2475
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
