{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T11:15:09.066","vulnerabilities":[{"cve":{"id":"CVE-2021-37632","sourceIdentifier":"security-advisories@github.com","published":"2021-08-05T21:15:12.687","lastModified":"2024-11-21T06:15:33.953","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher."},{"lang":"es","value":"SuperMartijn642's Config Lib es una biblioteca usada por varios mods para el juego Minecraft. Las versiones de SuperMartijn642's Config Lib entre 1.0.4 y 1.0.8, están afectadas por una vulnerabilidad y pueden ser explotadas tanto en servidores como en clientes. Usando Config Lib de SuperMartijn642, los servidores enviarán un paquete a clientes con los valores de configuración del servidor. Para leer los valores \"enum\" de los datos del paquete, es usado \"ObjectInputStream#readObject\".  \"ObjectInputStream#readObject\" instanciará una clase basada en los datos de entrada. Como los datos del paquete no se comprueban antes de llamar a \"ObjectInputStream#readObject\", un atacante puede instanciar cualquier clase mediante el envío de un paquete malicioso. Si se encuentra una clase adecuada, la vulnerabilidad puede conllevar a una serie de explotaciones, incluyendo una ejecución de código remota. Aunque el paquete vulnerable normalmente sólo se envía del servidor al cliente, teóricamente también puede enviarse del cliente al servidor. Esto significa que tanto los clientes como los servidores que ejecutan el Config Lib de SuperMartijn642 entre 1.0.4 y 1.0.8 son vulnerables. La vulnerabilidad ha sido parcheada en la Config lib 1.0.9 de SuperMartijn642. Tanto los jugadores como los propietarios de servidores deben actualizar a la versión 1.0.9 o superior"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:config_lib_project:config_lib:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.4","versionEndExcluding":"1.0.9","matchCriteriaId":"418BE337-88A4-42B1-8D51-16D3E1815B58"}]}]}],"references":[{"url":"https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}