CVE-2022-39221

McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/J-onasJones/McWebserver/pull/1	Patch Third Party Advisory
https://github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q	Third Party Advisory
https://github.com/J-onasJones/McWebserver/pull/1	Patch Third Party Advisory
https://github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mcwebserver_minecraft_mod_for_fabric_and_quilt_project:mcwebserver_minecraft_mod_for_fabric_and_quilt::::::::
	cpe:2.3:a:mcwebserver_minecraft_mod_for_forge_project:mcwebserver_minecraft_mod_for_forge::::::::

History

No history.

Information

Published : 2022-09-21 00:15

Updated : 2024-11-21 07:17

NVD link : CVE-2022-39221

Mitre link : CVE-2022-39221

CVE.ORG link : CVE-2022-39221

JSON object : View

Products Affected

mcwebserver_minecraft_mod_for_forge_project

mcwebserver_minecraft_mod_for_forge

mcwebserver_minecraft_mod_for_fabric_and_quilt_project

mcwebserver_minecraft_mod_for_fabric_and_quilt

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2022-39221", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-09-21T00:15:10.607", "references": [{"url": "https://github.com/J-onasJones/McWebserver/pull/1", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/J-onasJones/McWebserver/pull/1", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory."}, {"lang": "es", "value": "McWebserver mod ejecuta un simple servidor HTTP junto con el servidor de Minecraft en hilos separados. UnSalto de Ruta en McWebserver Minecraft Mod para Fabric y Quilt versiones hasta 0.1.2.1 incluy\u00e9ndola y McWebserver Minecraft Mod para Forge versiones hasta 0.1.1 incluy\u00e9ndola, permite que todos los archivos, accesibles por el programa, sean le\u00eddos por cualquiera por medio de una petici\u00f3n HTTP. La versi\u00f3n 0.2.0 con parches son liberadas a ambas plataformas (Fabric y Quilt, Forge). Como mitigaci\u00f3n, el mod McWebserver puede ser deshabilitado al eliminar el archivo del directorio \"mods\""}], "lastModified": "2024-11-21T07:17:49.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mcwebserver_minecraft_mod_for_fabric_and_quilt_project:mcwebserver_minecraft_mod_for_fabric_and_quilt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F306A99-7651-4465-AFB6-EA701128C31F", "versionEndIncluding": "0.1.2.1"}, {"criteria": "cpe:2.3:a:mcwebserver_minecraft_mod_for_forge_project:mcwebserver_minecraft_mod_for_forge:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E15565A5-A3C8-4483-AFAE-5783934E3C19", "versionEndIncluding": "0.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}