Advisory #55
| Title | Minecraft arbitrary JSON file deletion via path traversal |
| CVE ID | CVE-2021-35054 |
| Vendor | Mojang Studios |
| Affected product | Minecraft |
| Affected versions | =< 1.17 |
| Vulnerability type | CWE-22 (Path Traversal) |
| Description | Minecraft has a vulnerability that allows an attacker to perform path traversal if "online-mode=false" is specified, which leads to arbitrary JSON file deletion. |
| Status | Fixed in 1.17.1 |
| Recommendation | Update to 1.17.1 or above. If you can't update your Minecraft, there are some workarounds: 1. Set "online-mode" to "true". 2. Verify Minecraft username before handling connections. 3. Latest versions of Forge 1.15.2/1.16.5 and Spigot 1.16.5/1.17 includes a patch for this vulnerability according to the developer of them. |