Re: Security Vulnerabilities with GWT

Tue, 30 Jun 2020 03:16:58 -0700 

Thank you very much for quick responses.
Here are Vulnerabilities listed -


Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available 
version -9.2.27+ ) 
[Associated CVEs -  
CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ 
CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
available version - 3.4.0) [CVE-2015-5237]
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
version- 2.37) [CVE-2020-5529]

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
available version - 3.4.0) [CVE-2015-5237]


On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>
>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool <https://jeremylong.github.io/DependencyCheck/>.
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37)
>
> Gwt-servlet.jar -
>         1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>
> Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.9.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose & can be 
> flagged as false positive, still are there any attack surfaces exists?
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/53fc57d4-6d37-44b5-b267-044aa30e878co%40googlegroups.com.

Reply via email to