On Friday, July 29, 2022 at 1:27:36 PM UTC+2 [email protected] wrote:
> Hi All, > > Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release > have been reported by Dependency checker tool - > > [image: gwt-dev_vulnerablities.PNG] > Given above vulnerabilities - > 1. Are those security issues addressed in latest 2.10.0 release? > 2. If no, is there a plan to include them in any future release say 3.x? > 3. As we know that gwt-dev.jar is used for development purpose( in our > application, we remove gwt-dev.jar post compilation) , still are there any > attack surfaces exists? > IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it might also be used for generating source maps at build time, I don't remember) ; sourcemaps are bundled with your application so they can hardly be considered "untrusted data". James (mime4j) is a transitive dependency of HTMLUnit, used for testing. It's not clear whether the mime4j component of James is vulnerable (I'd say no), but it's only used for unit tests where I'd say you shouldn't load any untrusted data. Jetty as used in GWT won't do HTTP/2. So, the only possible attack surface would be untrusted URLs loaded during tests. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/2f4d0816-5027-449e-b61e-5d6c55785e55n%40googlegroups.com.
