CVE-2023-36123 – This CVE describes a directory traversal vulner... (How to Fix)

Q: What is the severity of CVE-2023-36123?

CVE-2023-36123 has a CVSS score of 7.8 (HIGH). This CVE describes a directory traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 Alpha 1.3.9 that allows local attackers to execute arbitrary code and access sensitive information. Attackers can exploit path traversal flaws to read or write files outside the intended directory, potentially leading to system compromise. Only users of this specific launcher version are affected.

📋 TL;DR

This CVE describes a directory traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 Alpha 1.3.9 that allows local attackers to execute arbitrary code and access sensitive information. Attackers can exploit path traversal flaws to read or write files outside the intended directory, potentially leading to system compromise. Only users of this specific launcher version are affected.

💻 Affected Systems

Products:

Hex-Dragon Plain Craft Launcher 2

Versions: Alpha 1.3.9

Operating Systems: Windows, Linux, macOS - any OS running the launcher

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific Alpha 1.3.9 version; other versions may not be vulnerable.

📦 What is this software?

Plain Craft Launcher 2 by Plain Craft Launcher 2 Project

View all CVEs affecting Plain Craft Launcher 2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers gain full system control through arbitrary code execution, potentially compromising the entire system and accessing all user data.

🟠

Likely Case

Local attackers read sensitive configuration files, user data, or execute limited malicious code within the application context.

🟢

If Mitigated

Attackers are limited to the application's sandbox or user permissions with minimal data exposure.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring attacker access to the system.

🏢 Internal Only: HIGH - Local attackers on shared systems or multi-user environments can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access to the system; public proof-of-concept code is available in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Upgrade to a newer version if available, or discontinue use of the vulnerable version.

🔧 Temporary Workarounds

Remove vulnerable launcher

all

Uninstall Hex-Dragon Plain Craft Launcher 2 Alpha 1.3.9 completely

On Windows: Use Add/Remove Programs or manually delete installation directory
On Linux/macOS: Remove the application directory and any launcher files

Restrict file permissions

all

Limit the launcher's file access permissions to prevent directory traversal

chmod 700 /path/to/launcher (Linux/macOS)
Use Windows ACL to restrict application directory access

🧯 If You Can't Patch

Run the launcher in a sandboxed or isolated environment with minimal permissions
Monitor for suspicious file access patterns and block the application if exploitation is detected

🔍 How to Verify

Check if Vulnerable:

Check if Hex-Dragon Plain Craft Launcher 2 Alpha 1.3.9 is installed on the system

Check Version:

Check launcher properties or about dialog; on command line, navigate to installation directory and check version files if available

Verify Fix Applied:

Verify the vulnerable version has been removed and no longer exists on the system

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from the launcher process
Attempts to access files outside the expected application directory

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

Process execution of Plain Craft Launcher with file access events to sensitive directories

📊 Metadata

CVE ID: CVE-2023-36123

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: October 7, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/9Bakabaka/d4559b081ce0577dbf415917afc0efb5 Third Party Advisory
https://github.com/9Bakabaka/CVE-2023-36123 Exploit,Third Party Advisory
https://gist.github.com/9Bakabaka/d4559b081ce0577dbf415917afc0efb5 Third Party Advisory
https://github.com/9Bakabaka/CVE-2023-36123 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36123, you might also want to check these: