CVE-2023-30859

Name of the Vulnerable Software and Affected Versions Triton versions prior to 3.8.4

Description The issue affects the Triton Minecraft plugin for Spigot and BungeeCord, allowing execution of commands on the spigot/bukkit console through the CustomPayload packet. When bungee mode is enabled in the config, the server broadcasts the 'triton:main' plugin channel, which can be used to send a payload packet containing a byte and a string, effectively allowing any spigot command to be executed. This could lead to elevation of privileges, such as making oneself a server operator, and extraction of other user information through phishing. The issue is particularly concerning for servers that use essentials, as commands like /geoip could be exploited.

Recommendations For versions prior to 3.8.4, update to version 3.8.4 to resolve the issue. As a temporary workaround, consider disabling the bungee mode in the config to prevent the server from broadcasting the 'triton:main' plugin channel, thereby minimizing the risk of exploitation. Restrict access to the CustomPayload packet and the 'triton:main' plugin channel to minimize the risk of unauthorized command execution. Avoid using the triton:main plugin channel until the issue is resolved.