Unchecked validity of Facing values in PlayerActionPacket

Impact

A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values (e.g. negative), specifically with START_BREAK or CRACK_BLOCK actions, or with a UseItemTransactionData (typically in InventoryTransactionPacket).

Patches

f126479c37ff00a717a828f5271cf8e821d12d6c

Workarounds

Using a plugin, cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases.

For more information

If you have any questions or comments about this advisory:

Email us at team@pmmp.io

Published: Jan 13, 2022
Updated: Apr 14, 2023
GHSA: GHSA-xh99-hw7h-wf63
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
pocketmine / pocketmine-mp	-	4.0.6

Vulnerability Database

Unchecked validity of Facing values in PlayerActionPacket

Impact

Patches

Workarounds

For more information

Deep Security Visibility Without the Complexity