# CVE-2021-44228 in Minecraft
- Java 16
- Paper server build #397
- Minecraft 1.17.1

# Exploitation
In Java 16 only deserialization attacks work by default using log4j. To exploit this there needs to be a vulnerable serializable class in the classpath.
In the current state of this repository the server will only send a serialized string object. If you found a vulnerable serializable class feel free to create a pull request.