Thanks for response. There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below - CVE - CVE-2022-29546 severity - 7.5 Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption.
Are there any plans to mitigate above vulnerablity? As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists? On Saturday, 30 July 2022 at 03:15:45 UTC+5:30 [email protected] wrote: > On Friday, July 29, 2022 at 1:27:36 PM UTC+2 [email protected] wrote: > >> Hi All, >> >> Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release >> have been reported by Dependency checker tool - >> >> [image: gwt-dev_vulnerablities.PNG] >> Given above vulnerabilities - >> 1. Are those security issues addressed in latest 2.10.0 release? >> 2. If no, is there a plan to include them in any future release say 3.x? >> 3. As we know that gwt-dev.jar is used for development purpose( in our >> application, we remove gwt-dev.jar post compilation) , still are there any >> attack surfaces exists? >> > > IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it > might also be used for generating source maps at build time, I don't > remember) ; sourcemaps are bundled with your application so they can hardly > be considered "untrusted data". > James (mime4j) is a transitive dependency of HTMLUnit, used for testing. > It's not clear whether the mime4j component of James is vulnerable (I'd say > no), but it's only used for unit tests where I'd say you shouldn't load any > untrusted data. > Jetty as used in GWT won't do HTTP/2. > > So, the only possible attack surface would be untrusted URLs loaded during > tests. > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/846a98bc-8022-42bc-a5ab-fac3de4ed377n%40googlegroups.com.
