CVE-2022-39221

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') McWebserver Minecraft Mod

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory.

McWebserver mod ejecuta un simple servidor HTTP junto con el servidor de Minecraft en hilos separados. UnSalto de Ruta en McWebserver Minecraft Mod para Fabric y Quilt versiones hasta 0.1.2.1 incluyéndola y McWebserver Minecraft Mod para Forge versiones hasta 0.1.1 incluyéndola, permite que todos los archivos, accesibles por el programa, sean leídos por cualquiera por medio de una petición HTTP. La versión 0.2.0 con parches son liberadas a ambas plataformas (Fabric y Quilt, Forge). Como mitigación, el mod McWebserver puede ser deshabilitado al eliminar el archivo del directorio "mods"

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-09-20 CVE Published
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (2)

URL	Tag	Source
https://github.com/J-onasJones/McWebserver/security/advisories/GHSA-gcvq-42cx-r46q	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/J-onasJones/McWebserver/pull/1	2022-09-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mcwebserver Minecraft Mod For Fabric And Quilt Project Search vendor "Mcwebserver Minecraft Mod For Fabric And Quilt Project"		Mcwebserver Minecraft Mod For Fabric And Quilt Search vendor "Mcwebserver Minecraft Mod For Fabric And Quilt Project" for product "Mcwebserver Minecraft Mod For Fabric And Quilt"				<= 0.1.2.1 Search vendor "Mcwebserver Minecraft Mod For Fabric And Quilt Project" for product "Mcwebserver Minecraft Mod For Fabric And Quilt" and version " <= 0.1.2.1"		-		Affected
Mcwebserver Minecraft Mod For Forge Project Search vendor "Mcwebserver Minecraft Mod For Forge Project"		Mcwebserver Minecraft Mod For Forge Search vendor "Mcwebserver Minecraft Mod For Forge Project" for product "Mcwebserver Minecraft Mod For Forge"				<= 0.1.1 Search vendor "Mcwebserver Minecraft Mod For Forge Project" for product "Mcwebserver Minecraft Mod For Forge" and version " <= 0.1.1"		-		Affected