CVE-2021-39177 - Vulnerability Details - OpenCVE

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Geysermc	Geyser

Configuration 1 [-]

cpe:2.3:a:geysermc:geyser:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6
https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858
https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-30T23:00:12

Updated: 2024-08-04T01:58:18.223Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39177

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-30T23:15:07.070

Modified: 2024-11-21T06:18:48.060

Link: CVE-2021-39177

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Geyser", "vendor": "GeyserMC", "versions": [{"status": "affected", "version": "<= 1.4.1-SNAPSHOT"}]}], "descriptions": [{"lang": "en", "value": "Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-30T23:00:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6"}, {"tags": ["x_refsource_MISC"], "url": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY"}], "source": {"advisory": "GHSA-h77f-xxx7-4858", "discovery": "UNKNOWN"}, "title": "User impersonation due to incorrect handling of the login JWT", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39177", "STATE": "PUBLIC", "TITLE": "User impersonation due to incorrect handling of the login JWT"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Geyser", "version": {"version_data": [{"version_value": "<= 1.4.1-SNAPSHOT"}]}}]}, "vendor_name": "GeyserMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858", "refsource": "CONFIRM", "url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858"}, {"name": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6", "refsource": "MISC", "url": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6"}, {"name": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY", "refsource": "MISC", "url": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY"}]}, "source": {"advisory": "GHSA-h77f-xxx7-4858", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39177", "datePublished": "2021-08-30T23:00:12", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.223Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geysermc:geyser:*:*:*:*:*:*:*:*", "matchCriteriaId": "515038BF-D294-47CE-B315-48E1C3CA2C13", "versionEndExcluding": "1.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "Geyser es un puente entre Minecraft: Bedrock Edition y Minecraft: Java Edition. Unas versiones de Geyser anteriores a 1.4.2-SNAPSHOT permiten a cualquiera que pueda conectarse al servidor falsificar un LoginPacket con un token JWT manipulado, permitiendo una suplantaci\u00f3n de identidad como cualquier usuario. La versi\u00f3n 1.4.2-SNAPSHOT contiene un parche para este problema. No se presentan soluciones conocidas aparte de la actualizaci\u00f3n"}], "id": "CVE-2021-39177", "lastModified": "2024-11-21T06:18:48.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-30T23:15:07.070", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5a6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaY"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}