Advisory issued on January 11th, 2024 (UTC) by apple502j.
Several Minecraft mods were found to have path traversal security bugs related to improper ZipInputStream
usage. These bugs allow for writing files and installing mods unexpectedly. Note that while the underlying issues are the same, the method of exploitation significantly differs across mods.
The following mods are affected. Note that this information will be updated as the authors patch the issue.
- ServerRPExposer: 1.0.0-1.0.2. Update to 1.0.3.
- ARRP: 0.5.4-the first version named 0.8.1. Update to the second version named 0.8.1.