Advisory #67
TitleMinecraft improper symbolic link handling
CVE IDCVE-2023-33245
VendorMojang Studios
Affected productMinecraft
Affected versions< 1.20 Pre-release 7
Vulnerability typeCWE-59 (Improper Link Resolution Before File Access)
DescriptionMinecraft before 1.20 Pre-release 7 handles the world data with symbolic links improperly, allowing malicious world data to overwrite arbitrary files with partially controlled contents. This vulnerability may result in remote code execution depending on the target environment. (Typically, this occurs when extracting untrusted world data using the archiver with symbolic link support is used.)
StatusFixed in 1.20 Pre-release 7
RecommendationUpdate to 1.20 Pre-release 7 or above. If you are using an older version of Minecraft, check the existence of symbolic links before loading untrusted world data.