InventoryGui Item Duplication Vulnerability in Bukkit/Spigot Plugins

A vulnerability allowing item duplication has been identified in the InventoryGui library, specifically in versions through 1.6.1-SNAPSHOT. This issue arises when the experimental Bundle item feature is enabled on the server, and any plugin utilizing the GuiStorageElement is affected. The duplication occurs by double-clicking on items that occupy multiple slots, which triggers a NullPointerException and facilitates the duplication process.

Impact

Exploitation of this vulnerability leads to unauthorized item duplication in Minecraft GUIs that use the GuiStorageElement.

Reproduction

To reproduce this vulnerability, use a plugin that incorporates the InventoryGui library version 1.6.1-SNAPSHOT or earlier. Enable the experimental Bundle item feature on the server. Then, create a GUI that uses the GuiStorageElement and place an item that occupies multiple slots into the GUI. Double-clicking on the item will trigger the vulnerability, causing it to be duplicated.

Remediation

Update to InventoryGui version 1.6.2-SNAPSHOT, which addresses the vulnerability. If the updated version is not available, as a temporary measure, avoid using the GuiStorageElement in GUIs.