simon816
commented
5 years ago there seem to be a lot of mods using this project as a starter structure for their own
I don't know if what you're saying is a substantiated claim or not, but almost all mods start out with the MDK (Mod Developer Kit) as a basis. Available here: https://github.com/MinecraftForge/MinecraftForge/tree/1.12.x/mdk
It was changed to HTTPS upstream a few months ago https://github.com/MinecraftForge/MinecraftForge/commit/607da1bd9b07ed07d8332530d90bca869503cc6d
JLLeitschuh
TheGreyGhost
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JAR files were compromised, any developers using these could continue to be infected past updating to fix this.
https://github.com/TheGreyGhost/MinecraftByExample/blob/4fe62c69f2e1a8bf5fd284b61dcd2a5386a1cb31/build.gradle#L4
This vulnerability has a CVSS v3.0 Base Score of 8.1/10 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical; POC code exists already to maliciously compromise jar file inflight.
See:
To fix: Update your
build.gradleso that artifacts are resolved over HTTPS instead of HTTP.It seems like this is actually a pretty big issue across the entire Modded Minecraft Ecosystem because there seem to be a lot of mods using this project as a starter structure for their own: