Release Notes - Pluto 3.1.1
Pluto version 3.1.1 is a release that mainly focuses on security related issues such as updating vulnerable third-party dependencies and fixing project CVEs.
CVE
- [CVE-2021-36737] - XSS in V3 Demo Portlet
- [CVE-2021-36738] - XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet
- [CVE-2021-36739] - XSS vulnerability in the MVCBean JSP portlet maven archetype
Bug
- [PLUTO-781] - PortletRequestDispatcherImpl forwards to incorrect path
- [PLUTO-782] - Default "tomcat" and "pluto" users are granted "manager-gui" role
Task
- [PLUTO-786] - Upgrade to version Spring Framework 5.3.7 and Spring Security 5.5.1 due to CVE-2021-22112 and CVE-2021-22119
- [PLUTO-787] - Migrate to Log4j 2.16.0 due to CVE-2019-17571 and CVE-2021-44228
- [PLUTO-788] - Upgrade to Tomcat 8.5.69 due to multiple CVE issues
- [PLUTO-789] - Upgrade to commons-io-2.7 due to CVE-2021-29425
- [PLUTO-790] - Upgrade to JUnit 4.13.1 due to CVE-2020-15250
- [PLUTO-792] - Upgrade to taglibs-standard-impl-1.2.3 due to CVE-2015-0254
- [PLUTO-794] - Downgrade to hibernate-validator-5.4.3.Final and validation-api-1.1.0.Final in order to conform to Java EE 7
- [PLUTO-795] - Release Preparation 3.1.1
