de.gurkenlabs:litiengine v0.4.7-alpha vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the de.gurkenlabs:litiengine package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data de.gurkenlabs:litiengine is a pure 2D free java game engine. Written in plain Java 8 it provides all the infrastructure to create a 2D tile based java game, be it a platformer or a top-down adventure. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can supply any instance of Serializable to MessagePacket and it would deserialize it without any checks. This could allow a remote attacker to execute arbitrary code if the classpath contains vulnerable serializable classes. How to fix Deserialization of Untrusted Data? Upgrade `de.gurkenlabs:litiengine` to version 0.5.1 or higher.	[0,0.5.1)
M Insecure Randomness de.gurkenlabs:litiengine is a pure 2D free java game engine. Written in plain Java 8 it provides all the infrastructure to create a 2D tile based java game, be it a platformer or a top-down adventure. Affected versions of this package are vulnerable to Insecure Randomness. The client IDs in ClientConnection are sequential. This easily allows an attacker to spoof another player's ID. How to fix Insecure Randomness? Upgrade `de.gurkenlabs:litiengine` to version 0.5.1 or higher.	[0,0.5.1)
M Improper Input Validation de.gurkenlabs:litiengine is a pure 2D free java game engine. Written in plain Java 8 it provides all the infrastructure to create a 2D tile based java game, be it a platformer or a top-down adventure. Affected versions of this package are vulnerable to Improper Input Validation. The `validate` method of `litiengine/src/de/gurkenlabs/litiengine/net/messages/MessageHandler.java` is not abstract. This means that a subclass of ClientMessage will accept any message (as long as it's not null) by default if the developer forgets to implement `validate`. How to fix Improper Input Validation? Upgrade `de.gurkenlabs:litiengine` to version 0.5.1 or higher.	[0,0.5.1)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

de.gurkenlabs:litiengine is a pure 2D free java game engine. Written in plain Java 8 it provides all the infrastructure to create a 2D tile based java game, be it a platformer or a top-down adventure.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can supply any instance of Serializable to MessagePacket and it would deserialize it without any checks. This could allow a remote attacker to execute arbitrary code if the classpath contains vulnerable serializable classes.

How to fix Deserialization of Untrusted Data?

Upgrade de.gurkenlabs:litiengine to version 0.5.1 or higher.

[0,0.5.1)

Insecure Randomness

Affected versions of this package are vulnerable to Insecure Randomness. The client IDs in ClientConnection are sequential. This easily allows an attacker to spoof another player's ID.

How to fix Insecure Randomness?

Upgrade de.gurkenlabs:litiengine to version 0.5.1 or higher.

[0,0.5.1)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation. The validate method of litiengine/src/de/gurkenlabs/litiengine/net/messages/MessageHandler.java is not abstract. This means that a subclass of ClientMessage will accept any message (as long as it's not null) by default if the developer forgets to implement validate.

How to fix Improper Input Validation?

Upgrade de.gurkenlabs:litiengine to version 0.5.1 or higher.

[0,0.5.1)

de.gurkenlabs:litiengine@v0.4.7-alpha vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

package manager

Direct Vulnerabilities

How to fix?