CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka blacklisted) by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cc-tweaked | Tweaked | * | 1.16.5-1.101.3 (excluding) |
| Cc-tweaked | Tweaked | 1.17.1-1.98.1 (including) | 1.18.2-1.101.3 (excluding) |
| Cc-tweaked | Tweaked | 1.19.1-1.100.9 (including) | 1.19.2-1.101.3 (excluding) |
| Cc-tweaked | Tweaked | 1.19.3-1.102.0 (including) | 1.19.4-1.106.0 (excluding) |
| Cc-tweaked | Tweaked | 1.20.1-1.105.0 (including) | 1.20.1-1.106.0 (excluding) |