CVE-2021-37632

Name of the Vulnerable Software and Affected Versions SuperMartijn642's Config Lib versions 1.0.4 through 1.0.8

Description The issue affects a library used by several Minecraft mods, allowing exploitation on both servers and clients. It involves the use of ObjectInputStream#readObject to read enum values from packet data sent by servers, which can instantiate classes based on input data without validation. This can lead to remote code execution if a suitable class is found. Both clients and servers are vulnerable due to the potential for malicious packets to be sent in either direction.

Recommendations For SuperMartijn642's Config Lib versions 1.0.4 through 1.0.8, update to version 1.0.9 or higher to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable ObjectInputStream#readObject function until the update can be applied.