The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all.
The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be exploitable either. On Mon, Jun 29, 2020, at 10:38 AM, Velusamy Velu wrote: > Is there a documented or demonstrated case of break-in using any of the > vulnerabilities listed in your post, in an application developed with GWT > framework? Do these vulnerabilities matter if a GWT application doesn't use > GWT's RPC? > > On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote: >> >> Hi All, >> >> Security Vulnerability have been detected in gwt-dev.jar & >> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool >> <https://jeremylong.github.io/DependencyCheck/>. >> >> Below are the details - >> >> Gwt-dev.jar - >> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, available >> version -9.2.27+ ) >> 1.2 Vulnerable version of commons-collections(current version - 3.2.1) >> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current >> version - 4.3.1) >> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available >> version - 3.4.0) >> 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available >> version- 2.37) >> >> Gwt-servlet.jar - >> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, >> available version - 3.4.0) >> >> Given above vulnerabilities - >> 1. Are those security issues addressed in latest 2.9.0 release? >> 2. If no, is there a plan to include them in any future release say 3.x? >> 3. As we know that gwt-dev.jar is used for development purpose & can be >> flagged as false positive, still are there any attack surfaces exists? -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/8226e012-160a-49b2-91a6-b41a958da81a%40www.fastmail.com.
