An item duplication bug was discovered in REI. A malicious ("hacked") client can send a crafted packet to a vulnerable Minecraft server running REI mod, which causes item duplication.
Please refer to the table below for fix versions:
| Minecraft Version | Last Affected | Fix Version |
|---|---|---|
| 1.21 | 16.0.729 | 16.0.744 |
| 1.20.4 | 14.1.727 | 14.1.742 |
| 1.20.2 | 13.1.726 | 13.1.741 |
| 1.20.1 | 12.1.725 | 12.1.740 |
| 1.19.4 | 11.1.717 | 11.1.739 |
| 1.19.2 | 9.2.724 | 9.2.738 |
| 1.18.2 | 8.4.723 | 8.4.737 |
The vulnerability is verified to be exploitable in version 1.21. Note that versions not listed here may be affected as well.
Technical Description: Failure to validate slot index and decrement stack count in REI for Minecraft 1.21 version 16.0.729 and below allows in-game item duplication.
- CVSS4.0: 5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/V:C
- CVSS3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CWE: CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input