CVE-2023-30859

Published: May 1, 2023

Modified: Jan 30, 2025

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your Minecraft server. The CustomPayload packet allows you to execute commands on the spigot/bukkit console. When you enable bungee mode in the config it will enable the bungee bridge and the server will begin to broadcast the 'triton:main' plugin channel. Using this plugin channel you are able to send a payload packet containing a byte (2) and a string (any spigot command). This could be used to make yourself a server operator and be used to extract other user information through phishing (pretending to be an admin), many servers use essentials so the /geoip command could be available to them, etc. This could also be modified to allow you to set the servers language, set another players language, etc. This issue affects those who have bungee enabled in config. This issue has been fixed in version 3.8.4.

Vendor	Product	Versions
tritonmc	Triton	affected `< 3.8.4`

Weaknesses (CWE)

CWE-419

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

Low

References

https://github.com/tritonmc/Triton/security/advisories/GHSA-8vj5-jccf-q25r

x_refsource_CONFIRM

https://github.com/tritonmc/Triton/releases/tag/v3.8.4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-30859

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References