Vulnerability Description
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Techreborn | Reborncore | <= 3.13.8 |
| Minecraft | Minecraft | - |
Related Weaknesses (CWE)
References
- https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrmThird Party Advisory
- https://vuln.ryotak.me/advisories/45Third Party Advisory
- https://www.curseforge.com/minecraft/mc-mods/reborncoreProductThird Party Advisory
- https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrmThird Party Advisory
- https://vuln.ryotak.me/advisories/45Third Party Advisory
- https://www.curseforge.com/minecraft/mc-mods/reborncoreProductThird Party Advisory
FAQ
What is CVE-2021-33790?
CVE-2021-33790 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An at...
How severe is CVE-2021-33790?
CVE-2021-33790 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-33790?
Check the references section above for vendor advisories and patch information. Affected products include: Techreborn Reborncore, Minecraft Minecraft.