Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    security Vulnerability CVE-2020-9354

    Hi,

    Recently one of our product customer did a security scan that resulted in security vulnerability on Smartclient, mention in the links below.
    https://nvd.nist.gov/vuln/detail/CVE-2020-9354
    https://seclists.org/fulldisclosure/2020/Feb/18

    All the links above point that vulnerability is present with smartclient 12 and one of our product customer identified with smartclient 9 version.
    My query is, is this vulnerability resolved in any later version of smartclient? If yes, what exact version has addressed it? And correspondingly, which version of SmartGWT to use?

    Thanks in advance.
    Tags: None
    #2
    Same issue here, a customer just recently did a scan and reported similar problems.

    In our case the scan was done with: https://portswigger.net/burp/vulnerability-scanner

    Comment

      #3
      This is not a real vulnerability. This is someone reporting that the SDK is an SDK: like any development tool, it allows you to save files. Runtime deployments do not allow saving of files.

      This vulnerability was reported to the above lists as a way of trying to force Isomorphic to pay money to stop someone from reporting a vulnerability they know to be a false vulnerability.

      Please do not fall for this again, and if you use a security scanner yourself, please make sure to have a security professional review the results before worrying about them: scanners produce many, many false positives.

      Comment

        #4
        Can you please confirm if your previously stated response for this CVE is still applicable in the latest version of the product?

        Comment

          #5
          Yes, this continues to be an absurd and totally invalid CVE that actually reports intended functionality. There is no security issue here, just scam artists.

          Comment

            #6
            Thanks for the confirmation :-)

            Comment

            Previous template Next
            Working...
            X