GHSA-H87R-F4VC-MCHV
Vulnerability from github – Published: 2023-06-06 01:51 – Updated: 2025-12-31 21:42
VLAI?
Summary
PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash
Details
Impact
In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar.
This did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild.
Patches
This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1.
Workarounds
Handle InventoryTransactionPacket in DataPacketReceiveEvent, and verify that the item count dropped isn't more than the available item count. However, it's complicated to do this, so it's not recommended.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-7332"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T01:51:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nIn 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar.\n\nThis did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild.\n\n### Patches\nThis was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1.\n\n### Workarounds\nHandle `InventoryTransactionPacket` in `DataPacketReceiveEvent`, and verify that the item count dropped isn\u0027t more than the available item count. However, it\u0027s complicated to do this, so it\u0027s not recommended.",
"id": "GHSA-h87r-f4vc-mchv",
"modified": "2025-12-31T21:42:11Z",
"published": "2023-06-06T01:51:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2"
},
{
"type": "PACKAGE",
"url": "https://github.com/pmmp/PocketMine-MP"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181"
},
{
"type": "WEB",
"url": "https://www.cve.org/cverecord?id=CVE-2023-7332"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…