Cyclops Integrated Scripting Arbitrary Code Execution Vulnerability

A critical vulnerability allowing arbitrary code execution has been identified in the Cyclops Integrated Scripting tool for Minecraft. This issue affects versions prior to 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10. The vulnerability arises from the improper handling of exceptions, which allows users to escape the JavaScript sandbox and execute arbitrary Java methods on the server. Exploitation of this vulnerability could lead to the execution of arbitrary native code, such as commands via 'java.lang.Runtime.exec', on the Minecraft server.

Impact

Exploitation of this vulnerability allows any player with access to Integrated Scripting Variable Cards to execute arbitrary Java methods and native code on the Minecraft server.

Reproduction

The vulnerability can be reproduced by creating a script that throws an exception, which can then be caught as a native Java exception object. This object can be used to perform Java reflection, allowing the invocation of arbitrary methods on arbitrary classes. For example, a script could be crafted to access server functions and manipulate player roles.

Remediation

Users should update to Integrated Scripting versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, or 1.19.2-1.0.10.