Impact
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163
SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.
if login is enabled: Malicious users with access to /players-page can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.
Patches
Fixed in 5.5 build 2172 https://github.com/plan-player-analytics/Plan/releases/tag/5.5.2172
A backport fix for version 5.4 build 1722 can be found here for those still running Java 8 or Sponge 7 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Mitigation options if you are unable to update
- Enable https and login so that less users have access to the vulnerable endpoint.
https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-(HTTPS)-Set-Up
- Enable IP Whitelist so that less users have access to the vulnerable endpoint.
Webserver:
Security:
IP_whitelist:
Enabled: true
- if unable to update or secure the server, disable Plan Webserver. This option is good if you want to delay updating to a more convenient time.
Webserver:
Disable_webserver: true
Impact
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163
SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.
if login is enabled: Malicious users with access to /players-page can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.
Patches
Fixed in 5.5 build 2172 https://github.com/plan-player-analytics/Plan/releases/tag/5.5.2172
A backport fix for version 5.4 build 1722 can be found here for those still running Java 8 or Sponge 7 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Mitigation options if you are unable to update
https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-(HTTPS)-Set-Up