Information Exposure Affecting pocketmine/pocketmine-mp package, versions <3.27.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-POCKETMINEPOCKETMINEMP-2359028
- published23 Jan 2022
- disclosed21 Jan 2022
- creditHen2527
Introduced: 21 Jan 2022
CVE NOT AVAILABLE CWE-200 (opens in a new tab)How to fix?
Upgrade pocketmine/pocketmine-mp to version 3.27.0 or higher.
Overview
pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP
Affected versions of this package are vulnerable to Information Exposure via the token verification process.
Verification Process:
- The client generates a private ECC key
clientPrivwhich it uses to complete ECDH for encryption. - A JWT containing the public key
clientPubcorresponding to this key is signed by Microsoft servers with the Mojang root public keymojangPub. - The server verifies that the token was issued by Microsoft servers by verifying the JWT signature with
mojangPub.
During this process, the server does not verify that the client possesses the private key corresponding to the public key in the token.
In the attack, the attacker can send a login captured from another session. This login is valid because it is verifiable by mojangPub. However, without encryption, the server doesn't know that the client actually possesses clientPriv, and the authenticity of the client cannot be verified.