Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Releases are built/executed/released in the context of insecure/untrusted code #1009

Closed
JLLeitschuh opened this issue Feb 15, 2019 · 2 comments
Closed

[SECURITY] Releases are built/executed/released in the context of insecure/untrusted code #1009

JLLeitschuh opened this issue Feb 15, 2019 · 2 comments
Labels
Type: Enhancement

Comments

@JLLeitschuh
Copy link

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

All of these build files include resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JAR files were compromised, any developers using these could continue to be infected past updating to fix this.

AstralSorcery/build.gradle

Lines 4 to 7 in 233b529

maven {
name = "forge"
url = "http://files.minecraftforge.net/maven"
}

AstralSorcery/build.gradle

Lines 41 to 70 in 233b529

repositories {
maven {
// location of the maven that hosts JEI files
url = "http://dvs1.progwml6.com/files/maven"
}
maven {
// CraftTweaker
name 'jared maven'
url "http://maven.blamejared.com/"
}
maven {
//Baubles
name 'thiakil'
url 'http://maven.thiakil.com'
}
maven {
// Gamestages stuff
url 'https://maven.mcmoddev.com'
}
maven {
// CTM
url 'https://maven.tterrag.com'
}
}

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical; POC code exists already to maliciously compromise jar file inflight.

See:

To fix: Update your build.gradle so that artifacts are resolved over HTTPS instead of HTTP.
@JLLeitschuh JLLeitschuh mentioned this issue Feb 15, 2019
Closed
@HellFirePvP
Copy link
Owner

"on hold" more or less until JEI's maven repo either allows for a secure connection or is hosted somewhere else that allows for that..

@HellFirePvP
Copy link
Owner

There's seemingly at least some movement to move to HTTPS on the last maven repository i'm waiting on, however this is with that kinda resolved. Will keep an eye on it and switch as soon as it's available through more secure means. Sharing the same opinion as KingLemming from the issue posted on CoFH/Feedback about the same thing.
Closing this as i don't deem it necessary to keep it open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JLLeitschuh @HellFirePvP