CVE-2021-33790

CRITICAL

Techreborn Reborncore < 3.13.8 - Insecure Deserialization

Title source: rule

Description

The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.

References (3)

Scores

CVSS v3 9.8
EPSS 0.0543
EPSS Percentile 90.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

techreborn/reborncore < 3.13.8

Timeline

Published May 31, 2021
Tracked Since Feb 18, 2026