Is there a documented or demonstrated case of break-in using any of the vulnerabilities listed in your post, in an application developed with GWT framework? Do these vulnerabilities matter if a GWT application doesn't use GWT's RPC?
On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote: > > > Hi All, > > Security Vulnerability have been detected in gwt-dev.jar & > gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker > tool <https://jeremylong.github.io/DependencyCheck/>. > > Below are the details - > > Gwt-dev.jar - > 1.1 Vulnerable version of jetty library(current version-- 9.2.14, > available version -9.2.27+ ) > 1.2 Vulnerable version of commons-collections(current version - 3.2.1) > 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current > version - 4.3.1) > 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, > available version - 3.4.0) > 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available > version- 2.37) > > Gwt-servlet.jar - > 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, > available version - 3.4.0) > > Given above vulnerabilities - > 1. Are those security issues addressed in latest 2.9.0 release? > 2. If no, is there a plan to include them in any future release say 3.x? > 3. As we know that gwt-dev.jar is used for development purpose & can be > flagged as false positive, still are there any attack surfaces exists? > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/ffaffa6f-6753-4546-ba7b-db2cb85e9a6eo%40googlegroups.com.
