Skip to content

Commit

Permalink
Override msal4j dependency to address CVE-2024-35255
Browse files Browse the repository at this point in the history
See GHSA-m5vv-6r4h-3vj9

TL;DR: An attacker would need to already have access to your computer in
order to exploit this vulnerability. Doing so would give them read-only
access to files with SYSTEM access permissions.

The override is mainly just to make Dependabot shut up about it. Since
this is a dependency of Minecraft itself, you'll likely get the
vulnerable version anyways until Mojang updates it.
  • Loading branch information
Alexander01998 committed Oct 25, 2024
1 parent ccbfd13 commit c2c9572
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,14 @@ repositories {
// for more information about repositories.
}

// Override vulnerable msal4j dependency until Minecraft updates to a newer version
configurations.all {
resolutionStrategy {
// v1.15.0, used by Minecraft 1.21.3, is vulnerable to CVE-2024-35255
force 'com.microsoft.azure:msal4j:1.17.2'
}
}

dependencies {
// To change the versions see the gradle.properties file
minecraft "com.mojang:minecraft:${project.minecraft_version}"
Expand Down Expand Up @@ -95,7 +103,7 @@ publishMods {
)
type = ghVersion.contains("pre") ? BETA : STABLE
modLoaders.add("fabric")

curseforge {
projectId = "353426"
accessToken = providers.environmentVariable("CURSEFORGE_API_KEY")
Expand Down

0 comments on commit c2c9572

Please sign in to comment.