pocketmine/pocketmine-mp Security Advisories for 4.7.0 (9)
-
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)
PKSA-7cft-g1hs-ddc8 GHSA-h6j3-j35f-v2x7
Affected version: <5.11.1
Reported by:
GitHub -
[HIGH] PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid
PKSA-krv9-c6mg-smc2 GHSA-xc7j-wj36-qjfr
Affected version: <5.11.2
Reported by:
GitHub -
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)
PKSA-nv2r-zxzd-wzsw GHSA-92jh-gwch-jq38
Affected version: <=4.23.0|>=5.0.0,<=5.3.0
Reported by:
GitHub -
[HIGH] PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash
PKSA-rjb4-mbc7-gvrq GHSA-h87r-f4vc-mchv
Affected version: <4.18.1
Reported by:
GitHub -
[HIGH] PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency
PKSA-mdrw-7xfy-3575 GHSA-pqp3-8rrw-g8vm
Affected version: >=4.21.0,<4.21.1|<4.20.5
Reported by:
GitHub -
[MEDIUM] PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'
PKSA-3mjs-tbmc-n317 GHSA-42qm-8v8m-m78c
Affected version: <4.18.0-ALPHA2
Reported by:
GitHub -
[MEDIUM] PocketMine-MP vulnerable to denial-of-service by sending large modal form responses
PKSA-6mdv-sgnk-4jgv GHSA-7m9r-rq9j-wmmh
Affected version: <4.12.5
Reported by:
GitHub -
[HIGH] PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash
PKSA-dy8b-jxh6-kdd2 GHSA-wqqv-jcfr-9f5g
Affected version: <4.8.1
Reported by:
GitHub -
[HIGH] PocketMine-MP invalid skin geometry JSON data leading to server crash
PKSA-g2v4-vgph-zkgr GHSA-8cwq-4cmf-px73
Affected version: <4.7.2
Reported by:
GitHub