CVE-2023-37262
CRITICALCC: Tweaked < 1.16.5-1.101.3 - Server-Side Request Forgery via Unrestricted Cloud Metadata Endpoints
Title source: llmDescription
CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-7p4w-mv69-2wm2
Not Applicable x_refsource_misc
https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-vvfj-xh7c-j2cm
Issue Tracking x_refsource_misc
https://github.com/dan200/ComputerCraft/issues/170
Patch x_refsource_misc
https://github.com/cc-tweaked/CC-Tweaked/commit/4bbde8c50c00bc572578ab2cff609b3443d10ddf
Scores
CVSS v3
9.6
EPSS
0.0072
EPSS Percentile
49.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (1)
tweaked/cc-tweaked
< 1.16.5-1.101.3
Published
Jul 07, 2023
Tracked Since
Feb 18, 2026