Published:2019/06/13  Last Updated:2019/06/13

JVN#89046645
A map plugin for Mincraft server "Dynmap" fails to restrict access permissions

Overview

A map plugin for Mincraft server "Dynmap" fails to restrict access permissions.

Products Affected

  • Dynmap v3.0-beta-3 and earlier

Description

A map plugin for Mincraft server "Dynmap" fails to restrict access permissions (CWE-284).

Impact

Under the circumstance where a user is required to login Dynmap, a remote attacker may bypass the login authentication and be able to see a map image that requires authentication.

Solution

Update the Plugin
Update to the latest version of Dynmap according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

RyotaK directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-12395
JVN iPedia JVNDB-2019-000037