Home > Vulnerability Database > WS-2022-0004

Mend.io Vulnerability Database

WS-2022-0004

Good to know:

Date: January 7, 2022

Some skin data fields (e.g. skinID, geometryName) are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAG_Strings. If any of these fields exceeds 32767 bytes, an exception will be thrown during data saving, which will cause the server to crash. Other fields (such as skinGeometryData) are also uncapped, but those have a much larger 2 GB length limit, so this is not a concern for those, particularly considering the decompressed packet size limit of 2 MB.

Language: PHP

Severity Score

7.5

Related Resources (3)

Url: https://github.com/pmmp/PocketMine-MP/commit/6492cac5c10f9fa8443ceddd2191a7b65b73f601

Url: https://github.com/pmmp/PocketMine-MP/commit/958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb

Url: https://www.mend.io/vulnerability-database/WS-2022-0004

Severity Score

7.5

Weakness Type (CWE)

Missing Release of Memory after Effective Lifetime

CWE-401

Top Fix

Upgrade Version

Upgrade to version 3.26.5,4.0.5

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0004

Good to know:

Date: January 7, 2022

Language: PHP

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?