Skip to content

Path traversal during manual mrpack installation

High
LennyMcLennington published GHSA-3rfr-g9g9-7gx2 Feb 4, 2023

Package

PolyMC (Application)

Affected versions

<= 1.4.3

Patched versions

>= 5.0

Description

Impact

Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.

Patches

67bb016

Workarounds

Avoid importing .mrpack files from untrusted sources.

References

https://docs.modrinth.com/docs/modpacks/format_definition/#files

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CVE ID

CVE-2023-25305

Credits