In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsA fix was pushed into the master
branch but not yet published.
Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to the management of client connections by OTAPI, which allows stale UUIDs to remain on RemoteClient
instances after a player disconnects. An attacker can assume the login state of a previously connected player by connecting with a modified client that omits the ClientUUID#68
packet.
Note:
This is only exploitable if the server has UUID login enabled, an authenticated player disconnects, and the server assigns the same RemoteClient
object to the newly connected player.
This vulnerability can be mitigated by implementing a RemoteClient reset event handler in a plugin.