InventoryGui Item Duplication Vulnerability in GUIs Using GuiStorageElement

A vulnerability in the InventoryGui library, specifically in versions through 1.6.3-SNAPSHOT, allows item duplication in GUIs that utilize the GuiStorageElement, when the experimental Bundle item feature is enabled on the server. This issue arises because right-clicking with a bundle in the affected GUI elements transfers the bundle to the GUI while retaining it on the cursor with one less item, contrary to normal inventory behavior.

Impact

Exploitation of this vulnerability leads to unauthorized item duplication, specifically with bundles, in GUIs that use the GuiStorageElement.

Reproduction

To reproduce this vulnerability, create a GUI using the InventoryGui library version 1.6.3-SNAPSHOT or earlier, and include a GuiStorageElement. Enable the experimental Bundle item feature on the server. When a bundle is right-clicked in the GUI, it will be duplicated: one bundle will remain on the cursor with one less item, while another will be placed in the GUI.

Remediation

Users can update to InventoryGui version 1.6.4-SNAPSHOT, where this vulnerability has been patched. For those using version 1.6.3-SNAPSHOT, the patch has been backported and can be applied.