Security Vulnerabilities with GWT 2.10

226 views
Skip to first unread message

priyako...@gmail.com

unread,
Jul 29, 2022, 7:27:36 AM7/29/22
to GWT Users
Hi All,

Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release have been reported by Dependency checker tool - 

gwt-dev_vulnerablities.PNG
Given above vulnerabilities -
1. Are those security issues addressed in latest 2.10.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

Thomas Broyer

unread,
Jul 29, 2022, 5:45:45 PM7/29/22
to GWT Users
IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it might also be used for generating source maps at build time, I don't remember) ; sourcemaps are bundled with your application so they can hardly be considered "untrusted data".
James (mime4j) is a transitive dependency of HTMLUnit, used for testing. It's not clear whether the mime4j component of James is vulnerable (I'd say no), but it's only used for unit tests where I'd say you shouldn't load any untrusted data.
Jetty as used in GWT won't do HTTP/2.

So, the only possible attack surface would be untrusted URLs loaded during tests.

priyako...@gmail.com

unread,
Sep 1, 2022, 5:57:07 AM9/1/22
to GWT Users
Thanks for response.

There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below -
CVE - CVE-2022-29546
severity  - 7.5 
Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption.

Are there any plans to mitigate above vulnerablity?
As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

Thomas Broyer

unread,
Sep 1, 2022, 9:49:17 AM9/1/22
to GWT Users
On Thursday, September 1, 2022 at 11:57:07 AM UTC+2 priyako...@gmail.com wrote:
Thanks for response.

There is one more CVE has been reported for gwt-dev jar for htmlUnit component. Details of CVE are as below -
CVE - CVE-2022-29546
severity  - 7.5 
Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption.

Are there any plans to mitigate above vulnerablity?
As we know that gwt-dev.jar is used for development purpose( in our application, we remove gwt-dev.jar post compilation) , still are there any attack surfaces exists?

It depends whether you a) use GWTTestCase b) run them with the HtmlUnit runner c) those tests load external resources not under your control (that could contain the processing instruction triggering the OOME)
Reply all
Reply to author
Forward
0 new messages