Cyber Resilience

CVE-2023-29478

CriticalPublic PoC

Published: 07 April 2023

Published
07 April 2023
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1718 95.2th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29478 is a critical-severity Path Traversal (CWE-22) vulnerability in Bibliocraftmod Bibliocraft. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

BiblioCraft versions prior to 2.4.6 contain a path traversal flaw (CWE-22) that fails to sanitize directory traversal characters in supplied filenames. The affected component is the BiblioCraft Minecraft mod, which permits restricted write operations that reach arbitrary locations on the underlying filesystem, including the Minecraft mods directory. The vulnerability carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can supply a crafted filename containing traversal sequences to write attacker-controlled files anywhere the server process has write access. Placement of a malicious JAR or class file inside the mods folder results in immediate code execution when the Minecraft server loads the mod.

Public references consist of proof-of-concept repositories demonstrating the file-write primitive and subsequent remote code execution. The only indicated remediation is upgrading BiblioCraft to version 2.4.6 or later, which adds filename sanitization.

EPSS remains flat at 0.1718 with no material increase after disclosure, and no confirmed in-the-wild exploitation campaigns have been reported.

EU & UK References

Vulnerability details

BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bibliocraftmod
bibliocraft
≤ 2.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References