Advisory #45
TitleRebornCore (Minecraft Mod) deserialization of untrusted data in network stack
CVE IDCVE-2021-33790
VendorTeam Reborn
Affected productRebornCore
Affected versions- 4.7.2, - 4.2.9, - 3.19.4
Vulnerability typeCWE-502: Deserialization of Untrusted Data
DescriptionRebornCore uses ObjectInputStream.readObject() to deserialize some packet data after being sent over the minecraft packet pipeline. However RebornCore opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization. Which may allow a malicious server/client to execute arbitrary codes.
StatusFixed in 4.7.3, 4.2.10, 3.19.5
RecommendationUpdate to fixed version.