Advisory #45
| Title | RebornCore (Minecraft Mod) deserialization of untrusted data in network stack |
| CVE ID | CVE-2021-33790 |
| Vendor | Team Reborn |
| Affected product | RebornCore |
| Affected versions | - 4.7.2, - 4.2.9, - 3.19.4 |
| Vulnerability type | CWE-502: Deserialization of Untrusted Data |
| Description | RebornCore uses ObjectInputStream.readObject() to deserialize some packet data after being sent over the minecraft packet pipeline. However RebornCore opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization. Which may allow a malicious server/client to execute arbitrary codes. |
| Status | Fixed in 4.7.3, 4.2.10, 3.19.5 |
| Recommendation | Update to fixed version. |