Hi All,
Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker
tool.
Below are the details -
Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )
1.2 Vulnerable version of commons-collections(current version - 3.2.1)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)
1.5 Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)
Gwt-servlet.jar -
1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)
Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?