Advisory #46
| Title | BdLib (Minecraft Mod) deserialization of untrusted data in network stack |
| CVE ID | CVE-2021-33806 |
| Vendor | bdew |
| Affected product | BdLib |
| Affected versions | - 1.16.1.6 |
| Vulnerability type | CWE-502: Deserialization of Untrusted Data |
| Description | BdLib uses ObjectInputStream.readObject() to deserialize some packet data after being sent over the minecraft packet pipeline. However BdLib opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization. Which may allow a malicious server/client to execute arbitrary codes. |
| Status | Fixed in 1.16.1.7 |
| Recommendation | Update to 1.16.1.7 or above. |