Friday, October 28, 2022

Re: Security Vulnerabilities with GWT

This is discussed at https://github.com/gwtproject/gwt/issues/9778 and https://github.com/gwtproject/gwt/issues/9752: this is a false positive, but still needs to be corrected. The simplest fix is probably to just stop packaging up the "I am running an old version" marker file, since the

Is there a functioning "bug bounty" tool for github? I found a few options that all seem defunct, but this seems like a good candidate for someone to either scratch their own itch and get it fixed, or fund someone else who has the time.

Regardless, as someone not actually affected by this false positive (so I can't justify the time right now to focus on it, run the verification that tools accept the output, etc), I'll put up a bounty of 100USD (via paypal/etc) to see this fixed, with a bonus 100USD for a first-time contributor. If someone has experience with a platform for setting up bounties like this, it might be helpful to formalize future issues.

On Wednesday, October 26, 2022 at 4:07:48 PM UTC-5 bsha...@qvera.com wrote:
I know that this conversation is about 2 years old.  We upgraded to GWT 2.10 in hopes that it would resolve the following vulnerabilities with protobuf-java, they are all being reports in the gwt-servlet.jar (version 2.10.0):

These are all being reported in our project by the AWS Enhanced Scanning.  It there any way to upgrade Protobuf from 2.5.0 to the latest version of 3.21.8?

Thanks in advance.
Ben

On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com wrote:
Thank you very much for quick responses.
Here are Vulnerabilities listed -


Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ ) 
[Associated CVEs -  CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0) [CVE-2015-5237]
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37) [CVE-2020-5529]

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0) [CVE-2015-5237]


On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:

Hi All,

Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.

Below are the details -

Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )
1.2 Vulnerable version of commons-collections(current version - 3.2.1)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/1bdbe148-b8c7-41a8-bbdc-90d0dfb0ffedn%40googlegroups.com.

No comments:

Post a Comment