Deserialization of Untrusted Data

Affecting de.gurkenlabs:litiengine artifact, versions [0,0.5.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

de.gurkenlabs:litiengine is a pure 2D free java game engine. Written in plain Java 8 it provides all the infrastructure to create a 2D tile based java game, be it a platformer or a top-down adventure.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can supply any instance of Serializable to MessagePacket and it would deserialize it without any checks. This could allow a remote attacker to execute arbitrary code if the classpath contains vulnerable serializable classes.

Remediation

Upgrade de.gurkenlabs:litiengine to version 0.5.1 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Gamebuster19901
CWE
CWE-502
Snyk ID
SNYK-JAVA-DEGURKENLABS-1050178
Disclosed
09 Dec, 2020
Published
17 Feb, 2021