CVE-2023-29478
Published: 07 April 2023
Summary
CVE-2023-29478 is a critical-severity Path Traversal (CWE-22) vulnerability in Bibliocraftmod Bibliocraft. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
BiblioCraft versions prior to 2.4.6 contain a path traversal flaw (CWE-22) that fails to sanitize directory traversal characters in supplied filenames. The affected component is the BiblioCraft Minecraft mod, which permits restricted write operations that reach arbitrary locations on the underlying filesystem, including the Minecraft mods directory. The vulnerability carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply a crafted filename containing traversal sequences to write attacker-controlled files anywhere the server process has write access. Placement of a malicious JAR or class file inside the mods folder results in immediate code execution when the Minecraft server loads the mod.
Public references consist of proof-of-concept repositories demonstrating the file-write primitive and subsequent remote code execution. The only indicated remediation is upgrading BiblioCraft to version 2.4.6 or later, which adds filename sanitization.
EPSS remains flat at 0.1718 with no material increase after disclosure, and no confirmed in-the-wild exploitation campaigns have been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33046
Vulnerability details
BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.