NVD Vulnerability Detail

CVE-2021-37632

Summary	SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher.
Publication Date	Aug. 6, 2021, 6:15 a.m.
Registration Date	Aug. 6, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:15 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:config_lib_project:config_lib::::::::		1.0.4			1.0.9

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6		Third Party Advisory
2	https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6		Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-502	信頼性のないデータのデシリアライゼーション	https://cwe.mitre.org/data/definitions/502.html

JVN Vulnerability Information

SuperMartijn642's Config Lib における信頼できないデータのデシリアライゼーションに関する脆弱性

Title	SuperMartijn642's Config Lib における信頼できないデータのデシリアライゼーションに関する脆弱性
Summary	SuperMartijn642's Config Lib には、信頼できないデータのデシリアライゼーションに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 5, 2021, midnight
Registration Date	June 22, 2022, 5:40 p.m.
Last Update	June 22, 2022, 5:40 p.m.

Affected System

config_lib project

SuperMartijn642's Config Lib 1.0.4 から 1.0.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-37632	https://www.cve.org/CVERecord?id=CVE-2021-37632
National Vulnerability Database (NVD)
2	CVE-2021-37632	https://nvd.nist.gov/vuln/detail/CVE-2021-37632

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-502	https://cwe.mitre.org/data/definitions/502.html

ベンダー情報

No	Name	URL
GitHub
1	Deserialization of Untrusted Data in com.supermartijn642.configlib.ConfigSyncPacket	https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6

Change Log

No	Changed Details	Date of change
1	[2022年06月22日] 掲載	June 22, 2022, 5:40 p.m.