# Command Block IDE Force-OP Bug (CVE-2024-48645)
In `CommandBlockIDE#onInitialize` of Minecraft mod ["Command Block IDE"](https://modrinth.com/mod/command-block-ide) up to and including 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server. (Function files contain in-game commands and can be used to modify the game behavior, but cannot be used to run arbitrary code on the machine.)

This **does not** affect the common setup, where the mod is installed on the client.

This issue is fixed in version 0.4.10.

- CVSS3.1: 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CVSS4.0: 8.7 (High) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

See also: 
- Patch: https://github.com/arm32x/command-block-ide/commit/42e09840168d9c2fe2ee07f4472d296000b2a416