You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All of these build files include resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JAR files were compromised, any developers using these could continue to be infected past updating to fix this.
There's seemingly at least some movement to move to HTTPS on the last maven repository i'm waiting on, however this is with that kinda resolved. Will keep an eye on it and switch as soon as it's available through more secure means. Sharing the same opinion as KingLemming from the issue posted on CoFH/Feedback about the same thing.
Closing this as i don't deem it necessary to keep it open.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
All of these build files include resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JAR files were compromised, any developers using these could continue to be infected past updating to fix this.
AstralSorcery/build.gradle
Lines 4 to 7 in 233b529
AstralSorcery/build.gradle
Lines 41 to 70 in 233b529
This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical; POC code exists already to maliciously compromise jar file inflight.
See:
To fix: Update your
build.gradle
so that artifacts are resolved over HTTPS instead of HTTP.The text was updated successfully, but these errors were encountered: