Thursday, September 1, 2022

Re: Security Vulnerabilities with GWT 2.10

Thanks for response.

There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below -
CVE - CVE-2022-29546
severity  - 7.5 
Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption.

Are there any plans to mitigate above vulnerablity?
As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

On Saturday, 30 July 2022 at 03:15:45 UTC+5:30 t.br...@gmail.com wrote:
On Friday, July 29, 2022 at 1:27:36 PM UTC+2 priyako...@gmail.com wrote:
Hi All,

Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release have been reported by Dependency checker tool - 

gwt-dev_vulnerablities.PNG
Given above vulnerabilities -
1. Are those security issues addressed in latest 2.10.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it might also be used for generating source maps at build time, I don't remember) ; sourcemaps are bundled with your application so they can hardly be considered "untrusted data".
James (mime4j) is a transitive dependency of HTMLUnit, used for testing. It's not clear whether the mime4j component of James is vulnerable (I'd say no), but it's only used for unit tests where I'd say you shouldn't load any untrusted data.
Jetty as used in GWT won't do HTTP/2.

So, the only possible attack surface would be untrusted URLs loaded during tests.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/846a98bc-8022-42bc-a5ab-fac3de4ed377n%40googlegroups.com.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)