An item duplication bug was discovered in JEI. A malicious ("hacked") client can send a crafted packet to a vulnerable Minecraft server running JEI mod, which causes item duplication.
Please refer to the table below for fix versions:
| Minecraft Version | Last Affected | Fix Version |
|---|---|---|
| 1.21 | 19.5.0.33 | 19.5.0.34 |
| 1.20.1 | 15.8.0.10 | 15.8.0.11 |
| 1.19.4 | 13.1.0.17 | 13.1.0.18 |
| 1.19.2 | 11.6.0.1020 | 11.6.0.1021 |
The vulnerability is verified to be exploitable in version 1.21. Note that versions not listed here may be affected as well.
Technical Description: Failure to validate slot index in JEI for Minecraft 1.21 version 19.5.0.33 and below allows in-game item duplication.
- CVSS4.0: 5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/V:C
- CVSS3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CWE: CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input