Vulnerability disclosures for RPShare mod.
In version 1.0.0 of RPShare Fabric client mod for Minecraft, a path traversal in DownloadTask#getFileNameFromConnection
allows arbitrary file write and, consequentially, remote code execution. User interaction is required for exploitation, in that a victim must interact with the user interface to accept a malicious file download. Note: the Paper server-side plugin is unaffected. Note 2: RPShare was archived and will not receive fixes for this vulnerability.
- CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L
In version 1.0.0 of RPShare Fabric client mod for Minecraft, an OS command injection in DownloadPromptScreen#build
allows an executable file to be executed. User interaction is required for exploitation, in that a victim must interact with the user interface to trigger the executables. Note: the Paper server-side plugin is unaffected. Note 2: RPShare was archived and will not receive fixes for this vulnerability.
- CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L