CVE-2023-37262

EPSS 0.15%
Veröffentlicht 07.07.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 08:11:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tweaked ≫ Cc-tweaked SwPlatformminecraft Version < 1.16.5-1.101.3

Tweaked ≫ Cc-tweaked SwPlatformminecraft Version >= 1.17.1-1.98.1 < 1.18.2-1.101.3

Tweaked ≫ Cc-tweaked SwPlatformminecraft Version >= 1.19.1-1.100.9 < 1.19.2-1.101.3

Tweaked ≫ Cc-tweaked SwPlatformminecraft Version >= 1.19.3-1.102.0 < 1.19.4-1.106.0

Tweaked ≫ Cc-tweaked SwPlatformminecraft Version >= 1.20.1-1.105.0 < 1.20.1-1.106.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.364

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	3.1	5.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-vvfj-xh7c-j2cm

Not Applicable

https://github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-7p4w-mv69-2wm2

Vendor Advisory

https://github.com/cc-tweaked/CC-Tweaked/blob/96847bb8c28df51e5e49f2dd2978ff6cc4e2821b/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L116-L126

Product

https://github.com/cc-tweaked/CC-Tweaked/commit/4bbde8c50c00bc572578ab2cff609b3443d10ddf

Patch

https://github.com/dan200/ComputerCraft/issues/170

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-37262

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37262

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37262

EUVD