CVE-2023-37262 Information

Description

CC: Tweaked is a mod for Minecraft which adds programmable computers turtles and more to the game. Prior to versions 1.20.1-1.106.0 1.19.4-1.106.0 1.19.2-1.101.3 1.18.2-1.101.3 and 1.16.5-1.101.3 if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers like AWS GCP and Azure those metadata services API endpoints are not forbidden (aka lacklisted) by default. As such any player can gain access to sensitive information exposed via those metadata servers potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0 1.19.4-1.106.0 1.19.2-1.101.3 1.18.2-1.101.3 and 1.16.5-1.101.3 contain a fix for this issue.

Reference

https://github.com/cc-tweaked/CC-Tweaked/commit/4bbde8c50c00bc572578ab2cff609b3443d10ddf https://github.com/dan200/ComputerCraft/issues/170 https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-vvfj-xh7c-j2cm https://github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-7p4w-mv69-2wm2 https://github.com/cc-tweaked/CC-Tweaked/blob/96847bb8c28df51e5e49f2dd2978ff6cc4e2821b/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L116-L126