mrpack-install vulnerable to path traversal with dependency
Package
Affected versions
<= 0.16.2
Patched versions
0.16.3
Description
Published to the GitHub Advisory Database
Feb 8, 2023
Reviewed
Feb 8, 2023
Published by the National Vulnerability Database
Jun 26, 2023
Last updated
Nov 7, 2023
Impact
Importing a malicious
.mrpack
file can cause path traversal while downloading files.This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Patches
No patches yet.
Workarounds
Avoid importing
.mrpack
files from untrusted sources.References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
References