JVN#53278122
Minecraft Java Edition vulnerable to directory traversal
Overview
Minecraft Java Edition contains a directory traversal vulnerability.
Products Affected
- Minecraft 1.17 and earlier
Description
Minecraft Java Edition provided by Mojang Studios contains a directory traversal vulnerability (CWE-22).
Impact
Arbitrary JSON files on the system using the product may be deleted by an attacker.
Solution
Update Minecraft
Update Minecraft to the latest version according to the information provided by the developer. The developer fixed the vulnerability and released 1.17.1 Pre-release 1 (1.17.1-pre).
The users of Spigot or Forge released for the following Minecraft versions are recommended to apply the latest versions for the respective products. In this way, users of Spigot or Forge are not required to change Minecraft version, and the impact of this vulnerability can be mitigated.
- Spigot
- Minecraft 1.16.5
- Minecraft 1.17
- Forge
- Minecraft 1.15.2
- Minecraft 1.16.5
Vendor Status
| Vendor | Link |
| Mojang Studios | MINECRAFT 1.17.1 PRE-RELEASE 1 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
RyotaK reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-35054 |
| JVN iPedia |
JVNDB-2021-000072 |
Update History
- 2021/07/27
- Fixed the typo in [Solution] section.