CVE-2023-38689

{"id": "CVE-2023-38689", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-08-04T17:15:10.563", "references": [{"url": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RS485/LogisticsPipes/commit/39a90b8f2d1a2bcc512ec68c3e139f1dac07aa56", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/RS485/LogisticsPipes/commit/527c4f4fb028e9afab29d4e639935010ad7be9e7", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/RS485/LogisticsPipes/security/advisories/GHSA-mcp7-xf3v-25x3", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java's `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. \nThe issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks."}, {"lang": "es", "value": "\"Logistics Pipes es una modificaci\u00f3n (tambi\u00e9n conocida como mod) para el juego de ordenador Minecraft Java Edition. El mod utilizaba Java's `ObjectInputStream#readObject` en datos no fiables procedentes de clientes o servidores a trav\u00e9s de la red, lo que resultaba en una posible ejecuci\u00f3n remota de c\u00f3digo al enviar paquetes de red espec\u00edficamente dise\u00f1ados despu\u00e9s de conectarse. Las versiones afectadas se publicaron entre 2013 y 2016 y el problema (entonces desconocido) se solucion\u00f3 en 2016 mediante una refactorizaci\u00f3n del c\u00f3digo de E/S de red. \nEl problema est\u00e1 presente en todas las versiones de Logistics Pipes, desde la 0.7.0.91 hasta la 0.10.0.71, que se descargaron desde diferentes plataformas y que suman varios millones de descargas. Para Minecraft versi\u00f3n 1.7.10 el problema se solucion\u00f3 en la versi\u00f3n 0.10.0.71. Todo el mundo en Minecraft 1.7.10 debe comprobar su n\u00famero de versi\u00f3n de Log\u00edstica Tuber\u00edas en su lista de mods y actualizaci\u00f3n, si el n\u00famero de versi\u00f3n es menor que 0.10.0.71. Cualquier versi\u00f3n m\u00e1s reciente de Minecraft compatible (como 1.12.2) nunca tuvo una versi\u00f3n de Logistics Pipes con c\u00f3digo vulnerable. La mejor soluci\u00f3n disponible para las versiones vulnerables es jugar en un solo jugador o actualizar a nuevas versiones de Minecraft y modpacks.\"\n"}], "lastModified": "2024-11-21T08:14:03.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rs485:logisticspipes:*:*:*:*:*:minecraft:*:*", "vulnerable": true, "matchCriteriaId": "DDB83922-E7A5-4002-85C5-5B46BE9A1E86", "versionEndExcluding": "0.10.0.71", "versionStartIncluding": "0.7.0.91"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}