Impact
What kind of vulnerability is it? Who is impacted?
Spigot minecraft servers using DisplayItem-Spigot for the versions mentioned (2.8.0-2.9.3 ie. since the addition of /shareitem command) incorrectly allow users to craft an item that can cause recursion in DisplayItem's event handling and create a stack overflow or a long busy period - this can cause players to be kicked or the server to crash from watchdog timeouts.
Note: This issue can be triggered without access to the shareitem command, despite it being introduced at the same time as those changes.
Aside: 2.9.4-SNAPSHOT and 2.9.4 Release are identical except in name - they both patch this issue.
This issue does not impact plugin developers using the project as a dependency and no action is necessary aside from normal depdendency updates, except by forks of the project and projects that shade this project into it - which will be contain the same problems.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem was patched immediately after it was identified and users should update to version 2.9.4 at their earliest convenience.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
disabling the sendmodifiedchatevent configuration setting (and performing /direload) may mitigate the issue for outdated versions of the plugin, but updating to 2.9.4 is strongly recommended.
Disabling displayitem.replace permission (which removes access to share items in chat) for users is also an effective option.
For more information
If you have any questions or comments about this advisory:
Impact
What kind of vulnerability is it? Who is impacted?
Spigot minecraft servers using DisplayItem-Spigot for the versions mentioned (2.8.0-2.9.3 ie. since the addition of /shareitem command) incorrectly allow users to craft an item that can cause recursion in DisplayItem's event handling and create a stack overflow or a long busy period - this can cause players to be kicked or the server to crash from watchdog timeouts.
Note: This issue can be triggered without access to the shareitem command, despite it being introduced at the same time as those changes.
Aside: 2.9.4-SNAPSHOT and 2.9.4 Release are identical except in name - they both patch this issue.
This issue does not impact plugin developers using the project as a dependency and no action is necessary aside from normal depdendency updates, except by forks of the project and projects that shade this project into it - which will be contain the same problems.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem was patched immediately after it was identified and users should update to version 2.9.4 at their earliest convenience.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
disabling the
sendmodifiedchateventconfiguration setting (and performing /direload) may mitigate the issue for outdated versions of the plugin, but updating to 2.9.4 is strongly recommended.Disabling
displayitem.replacepermission (which removes access to share items in chat) for users is also an effective option.For more information
If you have any questions or comments about this advisory: