In CommandBlockIDE#onInitialize of Minecraft mod "Command Block IDE" up to and including 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server. (Function files contain in-game commands and can be used to modify the game behavior, but cannot be used to run arbitrary code on the machine.)
This does not affect the common setup, where the mod is installed on the client.
This issue is fixed in version 0.4.10.
- CVSS3.1: 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CVSS4.0: 8.7 (High) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
See also: