The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all.
The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be exploitable either.
On Mon, Jun 29, 2020, at 10:38 AM, Velusamy Velu wrote:
Is there a documented or demonstrated case of break-in using any of the vulnerabilities listed in your post, in an application developed with GWT framework? Do these vulnerabilities matter if a GWT application doesn't use GWT's RPC?On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote:Hi All,Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.Below are the details -Gwt-dev.jar -1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )1.2 Vulnerable version of commons-collections(current version - 3.2.1)1.3 Vulnerable version of org.apache.httpcomponents:
httpclient(current version - 4.3.1)1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)1.5 Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)Gwt-servlet.jar -1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)Given above vulnerabilities -1. Are those security issues addressed in latest 2.9.0 release?2. If no, is there a plan to include them in any future release say 3.x?3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?