Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Required login bypass vulnerability #2474

Closed
Ry0taK opened this issue May 2, 2019 · 8 comments

Comments

Projects
None yet
2 participants
@Ry0taK
Copy link
Contributor

commented May 2, 2019

Vulnerability Information

  • Version: v3.0-beta-3 or below
  • Type: CWE-284 (Improper Access Control)

Issue Description

Due to missing login check in org.dynmap.servlet.MapStorageResourceHandler.java, attacker can see map image without login despite "login-required" is enabled in configuration.

Reproduce Steps

  1. Enable login-required and login-enabled in configuration.
  2. Try this PoC
@Ry0taK

This comment has been minimized.

Copy link
Contributor Author

commented May 29, 2019

CVE-2019-12385 has assigned to this vulnerability.

@Ry0taK

This comment has been minimized.

Copy link
Contributor Author

commented Jun 5, 2019

Hello @mikeprimm ,
I've sent to this vulnerability information to JVN (Japan Vulnerability Notes),
and JVN asked me when will the next release.
Can you tell me when will the next release please?
also, JVN said "CVE has already published, so if there is no plan for the next release, can you release next version as soon as possible please?".

Thanks,
RyotaK

@mikeprimm

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

It'll be released when 1.14.2 support is done - the issue here is so trivial (there are probably 3 or 4 servers of all the servers that use dynmap that even use the option of supporting login, restricting map visibility to using login AND using the internal web server) that I'm not driving a formal update just to release the fix. I appreciate the fix, but I do feel that the opening of a CVE and JVN is making a 'mountain out of a molehill'. It'll be released when the more important elements of the update are ready - hopefully this weekend. The patched source is available and freely buildable, so anyone who needs it sooner is already has the fix available, as the mod is open source...

@Ry0taK

This comment has been minimized.

Copy link
Contributor Author

commented Jun 5, 2019

Thank you for your reply!

I forwarded your reply to JVN.
I understand that the severity of this vulnerability is low and I also understand that you don't release software just to fix this vulnerability.
However, CVE and JVN are vulnerability information databases, and the vulnerability severity does not matter.

Thanks,
RyotaK

@mikeprimm

This comment has been minimized.

Copy link
Member

commented Jun 6, 2019

I think we're looking good for being able to do a release on the latest code base this weekend - I finished up the remaining critical 1.14.x issues last night, and I THINK the latest dev build is a potential 'release candidate'.

@Ry0taK

This comment has been minimized.

Copy link
Contributor Author

commented Jun 6, 2019

Hello mikeprimm.

Thank you for the information.
I sent this information to JVN.
And I apologize if you felt that I was rushing to release the next version.

Thanks,
RyotaK

@mikeprimm

This comment has been minimized.

Copy link
Member

commented Jun 6, 2019

It's all OK - I've been fighting to find the time to finish the release, so I might have been feeling a bit rushed :)

@mikeprimm

This comment has been minimized.

Copy link
Member

commented Jun 9, 2019

Just released v3.0-beta-4 on both dev.bukkit.org and spigotmc.org

@mikeprimm mikeprimm closed this Jun 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.