CVE-2022-24300 — Injection in Minetest

CWE-74 — Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 27.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Minetest Debian Minetest Debian Linux

Timeline

PublishedFeb 2

Latest updateFeb 15

Description

Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/minetest< minetest 5.4.1+repack-1 (bookworm)

▶NVDminetest/minetest< 5.4.0

▶Debianminetest/minetest< 5.3.0+repack-2.1+deb11u1+1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: bugs.debian.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f7m8-fvp5-fpmw: Minetest before 5↗2022-02-15

▶

OSV

CVE-2022-24300: Minetest before 5↗2022-02-02

▶

📋Vendor Advisories

Debian

CVE-2022-24300: minetest - Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of...↗2022

▶