CVE-2021-33790

{"id": "CVE-2021-33790", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-05-31T04:15:08.153", "references": [{"url": "https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://vuln.ryotak.me/advisories/45", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.curseforge.com/minecraft/mc-mods/reborncore", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed."}, {"lang": "es", "value": "La biblioteca RebornCore versiones anteriores a 4.7.3, permite una ejecuci\u00f3n de c\u00f3digo remota porque deserializa datos no confiables en la funci\u00f3n ObjectInputStream.readObject como parte de reborncore.common.network.ExtendedPacketBuffer. Un atacante puede crear una instancia de cualquier clase en la ruta de clases con cualquier dato. Una clase utilizable para explotaci\u00f3n puede estar presente o no, dependiendo de las modificaciones de Minecraft instaladas"}], "lastModified": "2021-06-11T19:38:06.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:minecraft:minecraft:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8D7B27EC-B06B-4D24-B15C-07A86BC95A2E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB031ED5-7EA7-4EA0-A261-E022E1EF5477", "versionEndIncluding": "3.13.8"}, {"criteria": "cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3278956C-6797-48E5-9B15-16FA1DF3D8A8", "versionEndExcluding": "3.19.5", "versionStartIncluding": "3.19.0"}, {"criteria": "cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC86AE4F-8096-4E89-8DF3-887A997A8196", "versionEndExcluding": "4.2.10", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1443CC3B-4EB8-44FF-85F3-C81407D89DAC", "versionEndExcluding": "4.7.3", "versionStartIncluding": "4.7.0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}