Re: Security Vulnerabilities with GWT

Thanks for working on this, Rafat. I've deployed a build of this to https://repo.vertispan.com/gwt-snapshot/ with version 2.11.0-fix-9778-SNAPSHOT. This uses the new groupIds, org.gwtproject:gwt-servlet:2.11.0-fix-9778-SNAPSHOT. For example, see

Re: Security Vulnerabilities with GWT

I did make a PR for fixing this issue by removing the pom.xml file from the rebased jar https://github.com/gwtproject/gwt/pull/9785 I did scan a sample project and attached is the report. It would be great if there is anyone can help verify the fix.

Re: Security Vulnerabilities with GWT

This is discussed at https://github.com/gwtproject/gwt/issues/9778 and https://github.com/gwtproject/gwt/issues/9752: this is a false positive, but still needs to be corrected. The simplest fix is probably to just stop packaging up the "I am running an old version" marker file, since the Is

Re: Security Vulnerabilities with GWT

I know that this conversation is about 2 years old. We upgraded to GWT 2.10 in hopes that it would resolve the following vulnerabilities with protobuf-java, they are all being reports in the gwt-servlet.jar (version 2.10.0): https://nvd.nist.gov/vuln/detail/CVE-2022-3171

Re: Security Vulnerabilities with GWT 2.10

On Thursday, September 1, 2022 at 11:57:07 AM UTC+2 priyako...@gmail.com wrote: > Thanks for response. > > There is one more CVE has been reported for gwt-dev jar for htmlUnit > component. Details of CVE are as below - > CVE - CVE-2022-29546 > severity - 7.5 > Description - HtmlUnit

Re: Security Vulnerabilities with GWT 2.10

Thanks for response. There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below - CVE - CVE-2022-29546 severity - 7.5 Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated

Re: Security Vulnerabilities with GWT 2.10

On Friday, July 29, 2022 at 1:27:36 PM UTC+2 priyako...@gmail.com wrote: > Hi All, > > Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release > have been reported by Dependency checker tool - > > [image: gwt-dev_vulnerablities.PNG] > Given above vulnerabilities - > 1. Are

Re: Security Vulnerabilities with GWT

Thank you very much for quick responses. Here are Vulnerabilities listed - Gwt-dev.jar - 1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ ) [Associated CVEs - CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536] 1.2 Vulnerable

Re: Security Vulnerabilities with GWT

The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all. The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be

Re: Security Vulnerabilities with GWT

Is there a documented or demonstrated case of break-in using any of the vulnerabilities listed in your post, in an application developed with GWT framework? Do these vulnerabilities matter if a GWT application doesn't use GWT's RPC? On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 12:57:41 PM UTC+2, Priya Kolekar wrote: > > > Hi All, > > Security Vulnerability have been detected in gwt-dev.jar & > gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker > tool . > > Below are the

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 3:36:11 PM UTC+2, Colin Alworth wrote: > > 1. No, these dependencies were not updated as part of the 2.9.0 release > 2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the > 3.x release is going to be structured in a different enough of a way

Re: Security Vulnerabilities with GWT

1. No, these dependencies were not updated as part of the 2.9.0 release 2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present. 3. At a quick glance, it appears to be an