The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all.
The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be exploitable either. On Mon, Jun 29, 2020, at 10:38 AM, Velusamy Velu wrote: > Is there a documented or demonstrated case of break-in using any of the > vulnerabilities listed in your post, in an application developed with GWT > framework? Do these vulnerabilities matter if a GWT application doesn't use > GWT's RPC? > > On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote: >> >> Hi All, >> >> Security Vulnerability have been detected in gwt-dev.jar & >> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool >> <https://jeremylong.github.io/DependencyCheck/>. >> >> Below are the details - >> >> Gwt-dev.jar - >> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, available >> version -9.2.27+ ) >> 1.2 Vulnerable version of commons-collections(current version - 3.2.1) >> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current >> version - 4.3.1) >> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available >> version - 3.4.0) >> 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available >> version- 2.37) >> >> Gwt-servlet.jar - >> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, >> available version - 3.4.0) >> >> Given above vulnerabilities - >> 1. Are those security issues addressed in latest 2.9.0 release? >> 2. If no, is there a plan to include them in any future release say 3.x? >> 3. As we know that gwt-dev.jar is used for development purpose & can be >> flagged as false positive, still are there any attack surfaces exists? -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/8226e012-160a-49b2-91a6-b41a958da81a%40www.fastmail.com.
