Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') McWebserver Minecraft Mod
CVE-2022-39221

7.5HIGH

Key Information:

Vendor: J-onasjones
Status: Mcwebserver
Vendor: CVE Published:; 21 September 2022

🔔 Create J-onasjones Vulnerability Alert

What is CVE-2022-39221?

McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the mods directory.

Affected Version(s)

McWebserver < 0.2.0

References

https://github.com/J-onasJones/McWebserver/security/advis...

x_refsource_CONFIRM

https://github.com/J-onasJones/McWebserver/pull/1

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2022
Vulnerability Reserved
Sep 2, 2022

CVE-2022-39221 Data

JSON