First published: Mon May 31 2021(Updated: )
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Techreborn Reborncore | <=3.13.8 | |
Techreborn Reborncore | >=3.19.0<3.19.5 | |
Techreborn Reborncore | >=4.2.0<4.2.10 | |
Techreborn Reborncore | >=4.7.0<4.7.3 | |
Minecraft Minecraft |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-33790 is a vulnerability in the RebornCore library that allows remote code execution.
CVE-2021-33790 works by deserializing untrusted data in ObjectInputStream.readObject, allowing an attacker to instantiate any class on the classpath with any data.
CVE-2021-33790 has a severity rating of 9.8 (Critical).
Versions of Techreborn Reborncore 3.13.8 to 3.19.5, 4.2.0 to 4.2.10, and 4.7.0 to 4.7.3 are affected by CVE-2021-33790.
To fix CVE-2021-33790, it is recommended to update to RebornCore library version 4.7.3 or newer.