{"url":"http://public2.vulnerablecode.io/api/packages/530206?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.25.0","type":"composer","namespace":"pocketmine","name":"pocketmine-mp","version":"3.25.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.11.2","latest_non_vulnerable_version":"5.42.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360873?format=json","vulnerability_id":"VCID-21se-t8q9-yudv","summary":"PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)\n### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.\n\nThis happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.\n\n Code processing arrays in the JSON data could then crash due to unexpected `NULL` elements.\n\n### Patches\nThis problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c\n\nAn upstream patch for this issue was proposed via https://github.com/cweiske/jsonmapper/pull/211; however, as of 2024-05-15, the patch has not been accepted upstream due to debate about how to deal with the behavior. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.\n\n### Workarounds\nA plugin may handle `DataPacketReceiveEvent` for `LoginPacket` and check that none of the input arrays contain `NULL` where it's not expected, but this is rather cumbersome.\n\n### References\nProposed upstream patch for a behavior change: https://github.com/cweiske/jsonmapper/pull/211","references":[{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38"},{"reference_url":"https://github.com/advisories/GHSA-92jh-gwch-jq38","reference_id":"GHSA-92jh-gwch-jq38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-92jh-gwch-jq38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379692?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-fhba-frv3-nbak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.23.1"},{"url":"http://public2.vulnerablecode.io/api/packages/379691?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-fhba-frv3-nbak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.3.1"}],"aliases":["GHSA-92jh-gwch-jq38","GMS-2023-2249"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21se-t8q9-yudv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206996?format=json","vulnerability_id":"VCID-2sbu-jxum-5fce","summary":"Inability to de-op players if listed in ops.txt with non-lowercase letters","references":[{"reference_url":"https://github.com/iTXTech/Genisys/issues/1188","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/iTXTech/Genisys/issues/1188"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.0.3/changelogs/4.0.md#403","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.0.3/changelogs/4.0.md#403"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/4d37b79ff7f9d9452e988387f97919a9a1c4954e","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/4d37b79ff7f9d9452e988387f97919a9a1c4954e"},{"reference_url":"https://github.com/advisories/GHSA-j5qg-w9jg-3wg3","reference_id":"GHSA-j5qg-w9jg-3wg3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j5qg-w9jg-3wg3"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-j5qg-w9jg-3wg3","reference_id":"GHSA-j5qg-w9jg-3wg3","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-j5qg-w9jg-3wg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18385?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-ntjs-ceva-8yas"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-ss78-eefn-77fx"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"},{"vulnerability":"VCID-xjuq-7177-rfc1"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.3"}],"aliases":["GHSA-j5qg-w9jg-3wg3","GMS-2021-54"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2sbu-jxum-5fce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211727?format=json","vulnerability_id":"VCID-48ue-wv63-4ugn","summary":"PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)","references":[{"reference_url":"https://github.com/cweiske/jsonmapper/issues/226","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/issues/226"},{"reference_url":"https://github.com/cweiske/jsonmapper/pull/225","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/pull/225"},{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/b96a209f9e8b76b899a0d0918493cd87eb3c02a7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/b96a209f9e8b76b899a0d0918493cd87eb3c02a7"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/6872661fd03649cc7a8762c41c16e9ee5a4de1c9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/6872661fd03649cc7a8762c41c16e9ee5a4de1c9"},{"reference_url":"https://github.com/advisories/GHSA-h6j3-j35f-v2x7","reference_id":"GHSA-h6j3-j35f-v2x7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h6j3-j35f-v2x7"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6j3-j35f-v2x7","reference_id":"GHSA-h6j3-j35f-v2x7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6j3-j35f-v2x7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29549?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fhba-frv3-nbak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.11.1"}],"aliases":["GHSA-h6j3-j35f-v2x7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-48ue-wv63-4ugn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361094?format=json","vulnerability_id":"VCID-512n-rhbr-cqcy","summary":"PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'\n### Impact\nA \"mismatch\" type `InventoryTransactionPacket` is sent by the client to request a resync of all currently open inventories.\n\nSince PocketMine-MP does not rate-limit these \"mismatch\" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).\n\nThis is not currently known to have been exploited in the wild.\n\n### Patches\nThis problem was fixed in 4.18.0-ALPHA2 by ca6d51498f12427a947467da8fcad7811418e6cc alongside the introduction of the `ItemStackRequest` system implementation.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` for `InventoryTransactionPacket` and check if the type is `MismatchTransactionData`. If it is, apply some kind of rate limit (e.g. max 1 per tick).","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.0-ALPHA2/changelogs/4.18-alpha.md#4180-ALPHA2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.0-ALPHA2/changelogs/4.18-alpha.md#4180-ALPHA2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-42qm-8v8m-m78c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-42qm-8v8m-m78c"},{"reference_url":"https://github.com/advisories/GHSA-42qm-8v8m-m78c","reference_id":"GHSA-42qm-8v8m-m78c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-42qm-8v8m-m78c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381854?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.18.0-ALPHA2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-qgtx-5npy-q7c4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.18.0-ALPHA2"}],"aliases":["GHSA-42qm-8v8m-m78c","GMS-2023-1728"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-512n-rhbr-cqcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208934?format=json","vulnerability_id":"VCID-b96w-azrg-sqah","summary":"Insufficient type validation in pocketmine/pocketmine-mp","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md#429","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md#429"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/releases/tag/4.2.9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/releases/tag/4.2.9"},{"reference_url":"https://github.com/advisories/GHSA-g5rr-p69h-7v3g","reference_id":"GHSA-g5rr-p69h-7v3g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5rr-p69h-7v3g"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g","reference_id":"GHSA-g5rr-p69h-7v3g","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20250?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.9"}],"aliases":["GHSA-g5rr-p69h-7v3g","GMS-2022-913"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b96w-azrg-sqah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210674?format=json","vulnerability_id":"VCID-drn3-hfmz-mbgj","summary":"Denial-of-service vulnerability processing large chat messages containing many newlines","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/advisories/GHSA-gj94-v4p9-w672","reference_id":"GHSA-gj94-v4p9-w672","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gj94-v4p9-w672"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672","reference_id":"GHSA-gj94-v4p9-w672","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24289?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.10"}],"aliases":["GHSA-gj94-v4p9-w672"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-drn3-hfmz-mbgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/139153?format=json","vulnerability_id":"VCID-et56-qjpe-2yd6","summary":"PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7332","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.5189","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7332"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2"},{"reference_url":"https://www.cve.org/cverecord?id=CVE-2023-7332","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/cverecord?id=CVE-2023-7332"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md","reference_id":"4.18.md","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/5897476","reference_id":"5897476","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/commit/5897476"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7332","reference_id":"CVE-2023-7332","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7332"},{"reference_url":"https://github.com/advisories/GHSA-h87r-f4vc-mchv","reference_id":"GHSA-h87r-f4vc-mchv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h87r-f4vc-mchv"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv","reference_id":"GHSA-h87r-f4vc-mchv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv"},{"reference_url":"https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash","reference_id":"pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381710?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-qgtx-5npy-q7c4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.18.1"}],"aliases":["CVE-2023-7332","GHSA-h87r-f4vc-mchv","GMS-2023-1797"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-et56-qjpe-2yd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211726?format=json","vulnerability_id":"VCID-fhba-frv3-nbak","summary":"PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7"},{"reference_url":"https://github.com/advisories/GHSA-xc7j-wj36-qjfr","reference_id":"GHSA-xc7j-wj36-qjfr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc7j-wj36-qjfr"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr","reference_id":"GHSA-xc7j-wj36-qjfr","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29548?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.11.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.11.2"}],"aliases":["GHSA-xc7j-wj36-qjfr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fhba-frv3-nbak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360911?format=json","vulnerability_id":"VCID-k8xn-bve5-duh7","summary":"PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash\n### Impact\n`DyeColorIdMap->fromId()` did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened.\n\nThis code is indirectly called during [`Banner->deserializeCompoundTag()`](https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104), which is invoked when deserializing any item NBT, whether from network or disk.\n\nAn attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, or by using `/give` to obtain an item with NBT like this.\n\n### Patches\n08b9495bce2d65a6d1d3eeb76e484499a00765eb\n\n### Workarounds\nThis is quite difficult to work around via a plugin. Theoretically, it's possible to override the `Banner` item class from a plugin and validate the data before it reaches `deserializeCompoundTag()`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@pmmp.io](mailto:security@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/08b9495bce2d65a6d1d3eeb76e484499a00765eb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/08b9495bce2d65a6d1d3eeb76e484499a00765eb"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-wqqv-jcfr-9f5g","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-wqqv-jcfr-9f5g"},{"reference_url":"https://github.com/advisories/GHSA-wqqv-jcfr-9f5g","reference_id":"GHSA-wqqv-jcfr-9f5g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqqv-jcfr-9f5g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380022?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-qgtx-5npy-q7c4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.8.1"}],"aliases":["GHSA-wqqv-jcfr-9f5g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k8xn-bve5-duh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207445?format=json","vulnerability_id":"VCID-kc9g-pgj4-77gf","summary":"Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/issues/4580","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/issues/4580"},{"reference_url":"https://github.com/advisories/GHSA-h79x-98r2-g6qc","reference_id":"GHSA-h79x-98r2-g6qc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h79x-98r2-g6qc"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h79x-98r2-g6qc","reference_id":"GHSA-h79x-98r2-g6qc","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h79x-98r2-g6qc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18588?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-2sbu-jxum-5fce"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-ntjs-ceva-8yas"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-ss78-eefn-77fx"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"},{"vulnerability":"VCID-xjuq-7177-rfc1"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.0"}],"aliases":["GHSA-h79x-98r2-g6qc","GMS-2022-25"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kc9g-pgj4-77gf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361090?format=json","vulnerability_id":"VCID-qgtx-5npy-q7c4","summary":"PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency\n### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.\n\nThis happened due to a bug in [`netresearch/jsonmapper`](https://github.com/cweiske/JsonMapper). The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.\n\n### Patches\nThe problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.\n\n### Workarounds\n- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.\n- A plugin may also be able to workaround this issue by using `DataPacketReceiveEvent` to attempt detection of suspicious payloads. An `ErrorException` will be thrown in the crash case, which can be caught by plugins.\n\n### References\ncweiske/jsonmapper#210","references":[{"reference_url":"https://github.com/cweiske/jsonmapper/pull/210","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/pull/210"},{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm"},{"reference_url":"https://github.com/advisories/GHSA-pqp3-8rrw-g8vm","reference_id":"GHSA-pqp3-8rrw-g8vm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pqp3-8rrw-g8vm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381788?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.20.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-ht7e-71un-p3b6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.20.5"},{"url":"http://public2.vulnerablecode.io/api/packages/381789?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.21.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-ht7e-71un-p3b6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.21.1"}],"aliases":["GHSA-pqp3-8rrw-g8vm","GMS-2023-1798"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qgtx-5npy-q7c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207256?format=json","vulnerability_id":"VCID-ss78-eefn-77fx","summary":"Uncapped length of skin data fields submitted by players","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/6492cac5c10f9fa8443ceddd2191a7b65b73f601","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/6492cac5c10f9fa8443ceddd2191a7b65b73f601"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb"},{"reference_url":"https://github.com/advisories/GHSA-c6fg-99pr-25m9","reference_id":"GHSA-c6fg-99pr-25m9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6fg-99pr-25m9"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-c6fg-99pr-25m9","reference_id":"GHSA-c6fg-99pr-25m9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-c6fg-99pr-25m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18587?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.26.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-kc9g-pgj4-77gf"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.26.5"},{"url":"http://public2.vulnerablecode.io/api/packages/18589?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-ntjs-ceva-8yas"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5"}],"aliases":["GHSA-c6fg-99pr-25m9","GMS-2022-3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ss78-eefn-77fx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208555?format=json","vulnerability_id":"VCID-u9mw-pj6c-b3c4","summary":"Improperly checked metadata on tools/armour itemstacks received from the client","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1"},{"reference_url":"https://github.com/advisories/GHSA-46c5-pfj8-fv65","reference_id":"GHSA-46c5-pfj8-fv65","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-46c5-pfj8-fv65"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-46c5-pfj8-fv65","reference_id":"GHSA-46c5-pfj8-fv65","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-46c5-pfj8-fv65"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19802?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.4"}],"aliases":["GHSA-46c5-pfj8-fv65","GMS-2022-458"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u9mw-pj6c-b3c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207255?format=json","vulnerability_id":"VCID-xjuq-7177-rfc1","summary":"Book page text, count, and author/title length is not limited in PocketMine-MP","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/advisories/GHSA-p62j-hrxm-xcxf","reference_id":"GHSA-p62j-hrxm-xcxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p62j-hrxm-xcxf"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-p62j-hrxm-xcxf","reference_id":"GHSA-p62j-hrxm-xcxf","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-p62j-hrxm-xcxf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18587?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.26.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-kc9g-pgj4-77gf"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.26.5"},{"url":"http://public2.vulnerablecode.io/api/packages/18589?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-ntjs-ceva-8yas"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"},{"vulnerability":"VCID-yqdh-k9nx-bqbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5"}],"aliases":["GHSA-p62j-hrxm-xcxf","GMS-2022-4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xjuq-7177-rfc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207391?format=json","vulnerability_id":"VCID-yqdh-k9nx-bqbh","summary":"Unchecked validity of Facing values in PlayerActionPacket","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/f126479c37ff00a717a828f5271cf8e821d12d6c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/f126479c37ff00a717a828f5271cf8e821d12d6c"},{"reference_url":"https://github.com/advisories/GHSA-xh99-hw7h-wf63","reference_id":"GHSA-xh99-hw7h-wf63","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh99-hw7h-wf63"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xh99-hw7h-wf63","reference_id":"GHSA-xh99-hw7h-wf63","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xh99-hw7h-wf63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18726?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21se-t8q9-yudv"},{"vulnerability":"VCID-48ue-wv63-4ugn"},{"vulnerability":"VCID-512n-rhbr-cqcy"},{"vulnerability":"VCID-b96w-azrg-sqah"},{"vulnerability":"VCID-drn3-hfmz-mbgj"},{"vulnerability":"VCID-et56-qjpe-2yd6"},{"vulnerability":"VCID-fhba-frv3-nbak"},{"vulnerability":"VCID-k8xn-bve5-duh7"},{"vulnerability":"VCID-ntjs-ceva-8yas"},{"vulnerability":"VCID-qgtx-5npy-q7c4"},{"vulnerability":"VCID-u9mw-pj6c-b3c4"},{"vulnerability":"VCID-v3u1-9zqz-s7h9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.6"}],"aliases":["GHSA-xh99-hw7h-wf63","GMS-2022-27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yqdh-k9nx-bqbh"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.25.0"}