CVE-2021-39177

Name of the Vulnerable Software and Affected Versions Geyser versions prior to 1.4.2-SNAPSHOT

Description The issue allows anyone that can connect to the server to forge a LoginPacket with a manipulated JWT token, enabling impersonation as any user. This affects users who have saved their credentials in the configuration. However, online mode is not affected if credentials are not saved, as users are still required to log in separately. The estimated number of potentially affected devices is not provided.

Recommendations To resolve the issue, upgrade to Geyser version 1.4.2-SNAPSHOT or later. As a temporary workaround, consider using online mode and avoid saving credentials in the Geyser configuration. Additionally, using an extra authentication method on the Java server can help minimize the risk of exploitation.