Release Notes - Pluto 3.1.1

Pluto version 3.1.1 is a release that mainly focuses on security related issues such as updating vulnerable third-party dependencies and fixing project CVEs.


  • [CVE-2021-36737] - XSS in V3 Demo Portlet
  • [CVE-2021-36738] - XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet
  • [CVE-2021-36739] - XSS vulnerability in the MVCBean JSP portlet maven archetype


  • [PLUTO-781] - PortletRequestDispatcherImpl forwards to incorrect path
  • [PLUTO-782] - Default "tomcat" and "pluto" users are granted "manager-gui" role


  • [PLUTO-786] - Upgrade to version Spring Framework 5.3.7 and Spring Security 5.5.1 due to CVE-2021-22112 and CVE-2021-22119
  • [PLUTO-787] - Migrate to Log4j 2.16.0 due to CVE-2019-17571 and CVE-2021-44228
  • [PLUTO-788] - Upgrade to Tomcat 8.5.69 due to multiple CVE issues
  • [PLUTO-789] - Upgrade to commons-io-2.7 due to CVE-2021-29425
  • [PLUTO-790] - Upgrade to JUnit 4.13.1 due to CVE-2020-15250
  • [PLUTO-792] - Upgrade to taglibs-standard-impl-1.2.3 due to CVE-2015-0254
  • [PLUTO-794] - Downgrade to hibernate-validator-5.4.3.Final and validation-api-1.1.0.Final in order to conform to Java EE 7
  • [PLUTO-795] - Release Preparation 3.1.1