An item duplication bug was discovered in REI. A malicious ("hacked") client can send a crafted packet to a vulnerable Minecraft server running REI mod, which causes item duplication.

Please refer to the table below for fix versions:

An item duplication bug was discovered in JEI. A malicious ("hacked") client can send a crafted packet to a vulnerable Minecraft server running JEI mod, which causes item duplication.

Please refer to the table below for fix versions:

An item duplication bug was discovered in EMI. A malicious ("hacked") client can send a crafted packet to a vulnerable Minecraft server running EMI mod, which causes item duplication. Fixed in version 1.1.11.

Technical Description: Failure to validate slot index and decrement stack count in EMI for Minecraft version 1.1.10 and below allows in-game item duplication.

• CVSS4.0: 5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/V:C
• CVSS3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• CWE: CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input

• CVE-2024-35474
• CVSS3.1: 6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• CVSS4.0: 7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/V:C/RE:L

In ResourcePack Server mod before version 1.0.8, a path traversal allows any player with permission level 1 to make public any files on the server, due to setPath method of ResourcePackFileServer.kt not validating the path. After the attack is performed, the files will be exposed on a public HTTP server.

This was resolved in version 1.0.8.

References:

Vulnerability disclosures for RPShare mod.

In all versions of RPShare Fabric client mod for Minecraft, a path traversal in DownloadTask#getFileNameFromConnection allows arbitrary file write and, consequentially, remote code execution. User interaction is required for exploitation, in that a victim must interact with the user interface to accept a malicious file download. Note: the Paper server-side plugin is unaffected. Note 2: RPShare was archived and will not receive fixes for this vulnerability.

• CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L

There are A LOT, mostly due to Mojang breaking networking AGAIN.

The following deprecated APIs were removed:

• fabric-containers-v0 (deprecated since 2020), use fabric-screen-handler-api-v1
• ScreenRegistry and ScreenHandlerRegistry, use TAW

The following were deprecated:

Advisory issued on January 11th, 2024 (UTC) by apple502j.

Several Minecraft mods were found to have path traversal security bugs related to improper ZipInputStream usage. These bugs allow for writing files and installing mods unexpectedly. Note that while the underlying issues are the same, the method of exploitation significantly differs across mods.

The following mods are affected. Note that this information will be updated as the authors patch the issue.

• ServerRPExposer: 1.0.0-1.0.2. Update to 1.0.3.
• ARRP: 0.5.4-the first version named 0.8.1. Update to the second version named 0.8.1.

Advancements got codecs, registries were updated, etc.

FAPI 0.90.8 released, no breaking change.

Some mob spawner logics have been moved to Spawner interface (to be implemented by spawner block entities). MobSpawnerLogic and related classes are now placed in block.spawner package. The existing Spawner interface used for spawning cats, "the worst mob", and the frequent homicide victims is now renamed to SpecialSpawner.

The sort-of-weekly thingy is back?

No breaking changes for Fabric API.

/tick command from the Carpet mod arrives in the vanilla game. To support this functionality in your mod:

CVE: CVE-2023-39680

Deserialization of untrusted data exists in Unicopia mod for Minecraf by Sollace up to and including version 1.1.1. Unsafe Java deserialization occurs after a user's client connects to a malicious server. This is fixed in version 1.2.0. (See the fix commit)

CVSS3.1: 7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H