Vulnerability Details : CVE-2021-33790
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
Vulnerability category: Execute code
Products affected by CVE-2021-33790
- cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*
- cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*
- cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*
- cpe:2.3:a:techreborn:reborncore:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-33790
5.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-33790
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-33790
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-33790
-
https://vuln.ryotak.me/advisories/45
Advisory #45 - RyotaK's Vuln DBThird Party Advisory
-
https://www.curseforge.com/minecraft/mc-mods/reborncore
Access denied | www.curseforge.com used Cloudflare to restrict accessProduct;Third Party Advisory
-
https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm
Deserialization of Untrusted Data in RebornCore's network stack · Advisory · TechReborn/RebornCore · GitHubThird Party Advisory
Jump to