Vulnerability Description
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Geysermc | Geyser | < 1.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5PatchThird Party Advisory
- https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858PatchThird Party Advisory
- https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaYThird Party Advisory
- https://github.com/GeyserMC/Geyser/commit/b9541505af68ac7b7c093206ac7b1ba88957a5PatchThird Party Advisory
- https://github.com/GeyserMC/Geyser/security/advisories/GHSA-h77f-xxx7-4858PatchThird Party Advisory
- https://updates.playhive.com/weekend-maintenance-disclosure-2kJMaYThird Party Advisory
FAQ
What is CVE-2021-39177?
CVE-2021-39177 is a vulnerability with a CVSS score of 7.4 (HIGH). Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with ma...
How severe is CVE-2021-39177?
CVE-2021-39177 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39177?
Check the references section above for vendor advisories and patch information. Affected products include: Geysermc Geyser.