Shulker Box Copy Vulnerability

jorden2895 commented 2 months ago

Description of Issue

cmi.openshulker

Use shift+right to click on the 1.2.3 boxes in sequence, which will cause box No. 1 to be copied to box 2.3.

Version Information

9.7.5.5  [ONLY]

Errors

No response

Relevant Config Sections

No response

Relevant Plugins

No response

Agreements

[X] My server is supported by CMI.
[X] My version of CMI at the time of this report is up to date.
[X] I have searched the github and asked around before making this report.

mercurialmusic commented 2 months ago

Confirming. Persists on CMI 9.7.5.6.

I did get this error but not sure if it's related.

[09:00:04 WARN]: java.lang.NullPointerException: Cannot invoke "com.Zrips.CMI.Containers.CMIUser.isOnline()" because "this.user" is null
[09:00:04 WARN]:        at CMI-9.7.5.6.jar//com.Zrips.CMI.Modules.PlayTime.CMIPlayTime.updatePlayTime(CMIPlayTime.java:76)
[09:00:04 WARN]:        at CMI-9.7.5.6.jar//com.Zrips.CMI.Modules.PlayTime.CMIPlayTime.updatePlayTime(CMIPlayTime.java:63)
[09:00:04 WARN]:        at CMI-9.7.5.6.jar//com.Zrips.CMI.Containers.CMIUser.updatePlayTime(CMIUser.java:2447)
[09:00:04 WARN]:        at CMI-9.7.5.6.jar//com.Zrips.CMI.Modules.PlayTime.PlayTimeManager.updatePlayTimes(PlayTimeManager.java:261)
[09:00:04 WARN]:        at CMI-9.7.5.6.jar//com.Zrips.CMI.Modules.PlayTime.PlayTimeManager$1.run(PlayTimeManager.java:248)
[09:00:04 WARN]:        at org.bukkit.craftbukkit.scheduler.CraftTask.run(CraftTask.java:86)
[09:00:04 WARN]:        at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:475)
[09:00:04 WARN]:        at net.minecraft.server.MinecraftServer.tickChildren(MinecraftServer.java:1726)
[09:00:04 WARN]:        at net.minecraft.server.dedicated.DedicatedServer.tickChildren(DedicatedServer.java:473)
[09:00:04 WARN]:        at net.minecraft.server.MinecraftServer.tickServer(MinecraftServer.java:1598)
[09:00:04 WARN]:        at net.minecraft.server.MinecraftServer.runServer(MinecraftServer.java:1304)
[09:00:04 WARN]:        at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:330)
[09:00:04 WARN]:        at java.base/java.lang.Thread.run(Thread.java:1583)

CMI plugin version: 9.7.5.6 Velocity CMIB SqLite-> 9.7.5.5 CMILib: 1.5.1.2 Server: Paper(52) 1.21.1-R0.1-SNAPSHOT- CMI economy: Enabled Vault: 1.7.3-CMI CMI Chat: Disabled Modules -> 64 enabled 2 disabled: ranks, skin

mercurialmusic commented 2 months ago

Persists in CMI 9.7.5.7 as well.

Momshroom commented 2 months ago

Can confirm. Still exists in this setup:

20:55:36 INFO: CMI plugin version: 9.7.5.7 MySQL-> 9.7.5.5 20:55:36 INFO: CMILib: 1.5.1.3 20:55:36 INFO: Server: Paper(52) 1.21.1-R0.1-SNAPSHOT+ 20:55:36 INFO: CMI economy: Disabled Vault: 1.7.3-b131 CMI Chat: Disabled 20:55:36 INFO: Modules -> 58 enabled 8 disabled: spawnerProximity, flightCharge, disabledEnchants, mirror, ranks, moneyCheque, spawners, spawnerCharge

mrfloris commented 2 months ago

I've given zrips a poke in dm on discord, he's probably asleep now. Just use .4 until there's a fix out Thanks for reporting; maybe next time, practice responsible disclosure so developers can find time to address reports.

jorden2895 commented 2 months ago

This issue has been fixed in 9.7.5.8

Zrips / CMI