- CVE-2024-35474
- CVSS3.1: 6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CVSS4.0: 7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/V:C/RE:L
In ResourcePack Server mod before version 1.0.8, a path traversal allows any player with permission level 1 to make public any files on the server, due to setPath method of ResourcePackFileServer.kt not validating the path. After the attack is performed, the files will be exposed on a public HTTP server.
This was resolved in version 1.0.8.
References: