From c2c9572356ae2dda4dd53b369930481bba685c59 Mon Sep 17 00:00:00 2001 From: Alexander01998 Date: Fri, 25 Oct 2024 15:21:23 +0200 Subject: [PATCH] Override msal4j dependency to address CVE-2024-35255 See https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 TL;DR: An attacker would need to already have access to your computer in order to exploit this vulnerability. Doing so would give them read-only access to files with SYSTEM access permissions. The override is mainly just to make Dependabot shut up about it. Since this is a dependency of Minecraft itself, you'll likely get the vulnerable version anyways until Mojang updates it. --- build.gradle | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 4bbb14e..41a026e 100644 --- a/build.gradle +++ b/build.gradle @@ -27,6 +27,14 @@ repositories { // for more information about repositories. } +// Override vulnerable msal4j dependency until Minecraft updates to a newer version +configurations.all { + resolutionStrategy { + // v1.15.0, used by Minecraft 1.21.3, is vulnerable to CVE-2024-35255 + force 'com.microsoft.azure:msal4j:1.17.2' + } +} + dependencies { // To change the versions see the gradle.properties file minecraft "com.mojang:minecraft:${project.minecraft_version}" @@ -95,7 +103,7 @@ publishMods { ) type = ghVersion.contains("pre") ? BETA : STABLE modLoaders.add("fabric") - + curseforge { projectId = "353426" accessToken = providers.environmentVariable("CURSEFORGE_API_KEY")