[SECURITY] Breach In MCreator Java Librairies

Started by Alex89912 on Tue, 11/01/2022 - 17:00

Topic category: Troubleshooting, bugs, and solutions

Last seen on 17:03, 1. Nov 2022
Joined Nov 2022
Points:

User statistics:

  • Modifications:
  • Forum topics:
  • Wiki pages:
  • Tracker tickets:
  • MCreator plugins:
  • Comments:
[SECURITY] Breach In MCreator Java Librairies
Tue, 11/01/2022 - 17:01 (edited)

Only a few minutes before i checked my pc I found Log4j (Last Vulnerability OF THE YEAR for Java) and when I checked on a website what was the vesrsoins affected, I found that it was one of them.

 

Here is the proof from the apache website (Creator of Log4j)

(Sorry btw I just screenshotted only 1 of the 3 lines of where it was on my computer)

Apache Website Screenshot

Edited by Alex89912 on Tue, 11/01/2022 - 17:01
Last seen on 02:40, 22. Jan 2023
Joined Feb 2021
Points:

User statistics:

  • Modifications:
  • Forum topics:
  • Wiki pages:
  • Tracker tickets:
  • MCreator plugins:
  • Comments:
You should report this on…
Wed, 11/02/2022 - 03:06

You should report this on the mcreator github to get more attention


 

I suggest checking the…
Wed, 11/02/2022 - 17:03

I suggest checking the source code, where you can see we (MCreator software) use 2.19.0 which is not vulnerable: https://github.com/MCreator/MCreator/blob/b88d5a3d8f231806e58fbc2e11210453e5de322c/build.gradle#L73

The version you are showing is from Gradle caches for the test environment. Those libs are managed by MC/FG and we have no control over them.