CVE-2022-23884

CRITICAL

Mojang Bedrock Dedicated Server <1.18.2 - Code Injection

Title source: llm

Description

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).

Exploits (2)

nomisec WORKING POC 1 stars

by nanaao · poc

https://github.com/nanaao/CVE-2022-23884

View Code ZIP pw:eip

inthewild

poc

https://github.com/luckydogdog/cve-2022-23884

View on inthewild

References (1)

[Exploit, Third Party Advisory] https://s3.bmp.ovh/imgs/2022/01/962e0c75f5969cfb.png

Scores

CVSS v3 9.8

EPSS 0.0510

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-190

Status published

Products (1)

minecraft/bedrock_server 1.18.2

Published Mar 28, 2022

Tracked Since Feb 18, 2026