Need to know the vaadin version in which CVE-2009-4611 is fixed

There is vulnerability (CVE-2009-4611 ) on Mort Bay Jetty , this 3PP is part of Vaadin.

Please confirm that in which Vaadin version above mentioned vulnerability is fixed .


There was dependency to this version of jetty in GWT 2.6 series, which has not been used in Vaadin for a long time. Vaadin 8 uses GWT 2.8.2 and Vaadin 7 GWT 2.7.0 which both should be ok. Also, this jetty instance is used only be the GWT’s SuperDevMode debugger. If you have configured the depenencies in correct manner, i.e. client side dependencies being in ‘provided’ scope, they are not bundled in your WAR. When done so, the jetty instance of GWT is not used runtime in your app.