Advisory #46
TitleBdLib (Minecraft Mod) deserialization of untrusted data in network stack
CVE IDCVE-2021-33806
Affected productBdLib
Affected versions-
Vulnerability typeCWE-502: Deserialization of Untrusted Data
DescriptionBdLib uses ObjectInputStream.readObject() to deserialize some packet data after being sent over the minecraft packet pipeline. However BdLib opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization. Which may allow a malicious server/client to execute arbitrary codes.
StatusFixed in
RecommendationUpdate to or above.