New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Required login bypass vulnerability #2474
Comments
|
CVE-2019-12395 has assigned to this vulnerability. |
|
Hello @mikeprimm , Thanks, |
|
It'll be released when 1.14.2 support is done - the issue here is so trivial (there are probably 3 or 4 servers of all the servers that use dynmap that even use the option of supporting login, restricting map visibility to using login AND using the internal web server) that I'm not driving a formal update just to release the fix. I appreciate the fix, but I do feel that the opening of a CVE and JVN is making a 'mountain out of a molehill'. It'll be released when the more important elements of the update are ready - hopefully this weekend. The patched source is available and freely buildable, so anyone who needs it sooner is already has the fix available, as the mod is open source... |
|
Thank you for your reply! I forwarded your reply to JVN. Thanks, |
|
I think we're looking good for being able to do a release on the latest code base this weekend - I finished up the remaining critical 1.14.x issues last night, and I THINK the latest dev build is a potential 'release candidate'. |
|
Hello mikeprimm. Thank you for the information. Thanks, |
|
It's all OK - I've been fighting to find the time to finish the release, so I might have been feeling a bit rushed :) |
|
Just released v3.0-beta-4 on both dev.bukkit.org and spigotmc.org |
Vulnerability Information
Issue Description
Due to missing login check in
org.dynmap.servlet.MapStorageResourceHandler.java, attacker can see map image without login despite "login-required" is enabled in configuration.Reproduce Steps
login-requiredandlogin-enabledin configuration.The text was updated successfully, but these errors were encountered: