CVE-2023-38689 (GCVE-0-2023-38689)
Vulnerability from cvelistv5 – Published: 2023-08-04 16:21 – Updated: 2024-10-10 15:59
VLAI
Title
Deserialization of Untrusted Data in network IO
Summary
Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java's `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code.
The issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/RS485/LogisticsPipes/security/… | x_refsource_CONFIRM |
| https://github.com/RS485/LogisticsPipes/commit/39… | x_refsource_MISC |
| https://github.com/RS485/LogisticsPipes/commit/52… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| RS485 | LogisticsPipes |
Affected:
>= 0.7.0.91, < 0.10.0.71
|
|
| rs485 | logisticspipes |
Affected:
0.7.0.91 , < 0.10.0.71
(custom)
cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3"
},
{
"name": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56"
},
{
"name": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:*"
],
"defaultStatus": "unknown",
"product": "logisticspipes",
"vendor": "rs485",
"versions": [
{
"lessThan": "0.10.0.71",
"status": "affected",
"version": "0.7.0.91",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:26:10.928951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:59:28.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LogisticsPipes",
"vendor": "RS485",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0.91, \u003c 0.10.0.71"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java\u0027s `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. \nThe issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T16:21:24.289Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3"
},
{
"name": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56"
},
{
"name": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7"
}
],
"source": {
"advisory": "GHSA-mcp7-xf3v-25x3",
"discovery": "UNKNOWN"
},
"title": "Deserialization of Untrusted Data in network IO"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38689",
"datePublished": "2023-08-04T16:21:24.289Z",
"dateReserved": "2023-07-24T16:19:28.363Z",
"dateUpdated": "2024-10-10T15:59:28.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-38689",
"date": "2026-06-08",
"epss": "0.0441",
"percentile": "0.89218"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:*\", \"versionStartIncluding\": \"0.7.0.91\", \"versionEndExcluding\": \"0.10.0.71\", \"matchCriteriaId\": \"DDB83922-E7A5-4002-85C5-5B46BE9A1E86\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java\u0027s `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. \\nThe issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks.\"}, {\"lang\": \"es\", \"value\": \"\\\"Logistics Pipes es una modificaci\\u00f3n (tambi\\u00e9n conocida como mod) para el juego de ordenador Minecraft Java Edition. El mod utilizaba Java\u0027s `ObjectInputStream#readObject` en datos no fiables procedentes de clientes o servidores a trav\\u00e9s de la red, lo que resultaba en una posible ejecuci\\u00f3n remota de c\\u00f3digo al enviar paquetes de red espec\\u00edficamente dise\\u00f1ados despu\\u00e9s de conectarse. Las versiones afectadas se publicaron entre 2013 y 2016 y el problema (entonces desconocido) se solucion\\u00f3 en 2016 mediante una refactorizaci\\u00f3n del c\\u00f3digo de E/S de red. \\nEl problema est\\u00e1 presente en todas las versiones de Logistics Pipes, desde la 0.7.0.91 hasta la 0.10.0.71, que se descargaron desde diferentes plataformas y que suman varios millones de descargas. Para Minecraft versi\\u00f3n 1.7.10 el problema se solucion\\u00f3 en la versi\\u00f3n 0.10.0.71. Todo el mundo en Minecraft 1.7.10 debe comprobar su n\\u00famero de versi\\u00f3n de Log\\u00edstica Tuber\\u00edas en su lista de mods y actualizaci\\u00f3n, si el n\\u00famero de versi\\u00f3n es menor que 0.10.0.71. Cualquier versi\\u00f3n m\\u00e1s reciente de Minecraft compatible (como 1.12.2) nunca tuvo una versi\\u00f3n de Logistics Pipes con c\\u00f3digo vulnerable. La mejor soluci\\u00f3n disponible para las versiones vulnerables es jugar en un solo jugador o actualizar a nuevas versiones de Minecraft y modpacks.\\\"\\n\"}]",
"id": "CVE-2023-38689",
"lastModified": "2024-11-21T08:14:03.660",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-08-04T17:15:10.563",
"references": "[{\"url\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-38689\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-08-04T17:15:10.563\",\"lastModified\":\"2024-11-21T08:14:03.660\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java\u0027s `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. \\nThe issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks.\"},{\"lang\":\"es\",\"value\":\"\\\"Logistics Pipes es una modificaci\u00f3n (tambi\u00e9n conocida como mod) para el juego de ordenador Minecraft Java Edition. El mod utilizaba Java\u0027s `ObjectInputStream#readObject` en datos no fiables procedentes de clientes o servidores a trav\u00e9s de la red, lo que resultaba en una posible ejecuci\u00f3n remota de c\u00f3digo al enviar paquetes de red espec\u00edficamente dise\u00f1ados despu\u00e9s de conectarse. Las versiones afectadas se publicaron entre 2013 y 2016 y el problema (entonces desconocido) se solucion\u00f3 en 2016 mediante una refactorizaci\u00f3n del c\u00f3digo de E/S de red. \\nEl problema est\u00e1 presente en todas las versiones de Logistics Pipes, desde la 0.7.0.91 hasta la 0.10.0.71, que se descargaron desde diferentes plataformas y que suman varios millones de descargas. Para Minecraft versi\u00f3n 1.7.10 el problema se solucion\u00f3 en la versi\u00f3n 0.10.0.71. Todo el mundo en Minecraft 1.7.10 debe comprobar su n\u00famero de versi\u00f3n de Log\u00edstica Tuber\u00edas en su lista de mods y actualizaci\u00f3n, si el n\u00famero de versi\u00f3n es menor que 0.10.0.71. Cualquier versi\u00f3n m\u00e1s reciente de Minecraft compatible (como 1.12.2) nunca tuvo una versi\u00f3n de Logistics Pipes con c\u00f3digo vulnerable. La mejor soluci\u00f3n disponible para las versiones vulnerables es jugar en un solo jugador o actualizar a nuevas versiones de Minecraft y modpacks.\\\"\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:*\",\"versionStartIncluding\":\"0.7.0.91\",\"versionEndExcluding\":\"0.10.0.71\",\"matchCriteriaId\":\"DDB83922-E7A5-4002-85C5-5B46BE9A1E86\"}]}]}],\"references\":[{\"url\":\"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Deserialization of Untrusted Data in network IO\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-502\", \"lang\": \"en\", \"description\": \"CWE-502: Deserialization of Untrusted Data\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\"}, {\"name\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\"}, {\"name\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\"}], \"affected\": [{\"vendor\": \"RS485\", \"product\": \"LogisticsPipes\", \"versions\": [{\"version\": \"\u003e= 0.7.0.91, \u003c 0.10.0.71\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-08-04T16:21:24.289Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java\u0027s `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. \\nThe issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks.\"}], \"source\": {\"advisory\": \"GHSA-mcp7-xf3v-25x3\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:46:56.818Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3\"}, {\"name\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56\"}, {\"name\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-38689\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-10T15:26:10.928951Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:*\"], \"vendor\": \"rs485\", \"product\": \"logisticspipes\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.7.0.91\", \"lessThan\": \"0.10.0.71\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-10T15:55:21.721Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-38689\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-07-24T16:19:28.363Z\", \"datePublished\": \"2023-08-04T16:21:24.289Z\", \"dateUpdated\": \"2024-10-10T15:59:28.911Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…