CVE-2020-1945 in gwt-dev's ant dependency #9690
Comments
|
You should never deploy gwt-dev as part of your application, unless you are doing something like re-running the GWT Compiler on your running app server, so this should be a non-issue for most deployments. are you running ant as part of your running server? With that said, it appears that the mitigation section of RAT-269 should apply here as a workaround:
|
|
Thank you for the quick reply! I'm sure we never deploy gwt-dev as part of our application and thus don't run ant in our running server. However now I'm unsure whether I misunderstood your point or the CVE. Thank you for pointing out the workaround. I will investigate how we might apply this to our situation. |
|
gwt-dev uses a single class Maybe that file should be copied and repackaged into the GWT distribution in the future so that gwt-dev does not depend on whole ANT library anymore. |
|
My reply was meant to help you mitigate this issue in your own env right away, not to brush this off as unimportant. If your risk model is "we might build to a machine where other users can write to its tmp dirs" then yes, this definitely needs to be addressed promptly, or the workaround I mentioned explored. That said, I believe that even cloud build providers do not let filesystem changes leak from one organization (or even build) to another, so this particular attack seems unlikely? If you are running somewhere like a shared tomcat instance where other users can deploy arbitrary wars or log in and poke the filesystem, then yes, that would definitely be a concern. I'm not quite sure where the line is between these. |
And I did not understand it that way. I'm very glad to get your feedback on this topic!
This is good to know, thank you! I believe this is good news. The CVE states:
If gwt-dev does not make use of these tasks at all, than I don't see how this aspect of the CVE would apply to gwt-dev. |
|
Thanks for your follow up. I agree that we are probably unaffected, but it would certainly help if we could ensure that by limiting our exposure. I'm trying to update a few other components within the compiler right now, will tackle this one next. |
|
The fix for this is merged, we now use a minimal ant jar so that only zips can be read. |
Bug: gwtproject#9690 Bug-Link: gwtproject#9690 Change-Id: Icc3003de781c61656cdf7ee62d998b40f4f4f17d
GWT version:2.8.2
Browser (with version): N/A (compile time issue)
Operating System: any OS affected as far as I understand
Description
gwt-dev:2.8.2 relies on ant:1.6.5, which is affected by CVE-2020-1945.
We are using gwt-maven-plugin for our builds and as far as I understand this relies on gwt-dev for compilation. This is why I assume we are affected by this vulnerability.
Especially when building with a public cloud provider the attack is critical.
Are there any plans to update the ant dependency in gwt-dev to mitigate this CVE?
Steps to reproduce
Found by owasp dependency-check:
mvn dependency-check:checkKnown workarounds
None. GWT version 2.9.0 still references ant:1.6.5.
Links to further discussions
https://nvd.nist.gov/vuln/detail/CVE-2020-1945
The text was updated successfully, but these errors were encountered: