Project Security

The following security issues have been identified and addressed:

Version 3.1.2

  • Although there were no security vulnerabilities identified or fixed in the Apache Pluto source code itself, various third-party dependencies were updated due to known security vulnerabilities. For more information, refer to the Apache Pluto 3.1.2 Release Notes.

Version 3.1.1

  • CVEID: CVE-2021-36737

    DESCRIPTION: The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks.

    Versions Affected:
    3.0.0, 3.0.1, 3.1.0

    Mitigation:
    * Uninstall the v3-demo-portlet.war artifact
    - or -
    * Migrate to version 3.1.1 of the v3-demo-portlet.war artifact

  • CVEID: CVE-2021-36738

    DESCRIPTION: The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks.

    Versions Affected:
    3.1.0

    Mitigation:
    * Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact
    - or -
    * Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

  • CVEID: CVE-2021-36739

    DESCRIPTION: The "first name" and "last name" fields of the Apache Pluto MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

    Versions Affected:
    3.1.0

    Mitigation:
    * If a project was generated from the affected maven archetype using a command like the following:

    mvn archetype:generate \
    	-DarchetypeGroupId=org.apache.portals.pluto.archetype \
    	-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
    	-DarchetypeVersion=3.1.0 \
    	-DgroupId=com.mycompany \
    	-DartifactId=com.mycompany.my.mvcbean.jsp.portlet
    


    Then developers must fix the generated greeting.jspx file by escaping the rendered values submitted to the "First Name" and "Last Name" fields.

    For example, change:
    <span>${user.firstName} ${user.lastName}! </span>
    


    To:
    <span>${mvc.encoders.html(user.firstName)} ${mvc.encoders.html(user.lastName)}! </span>
    


    * Moving forward, all such projects should be generated from version 3.1.1 of the Maven archetype.

Version 3.1.0

  • CVEID: CVE-2019-0186

    DESCRIPTION: The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks.

    Versions Affected:
    3.0.0, 3.0.1

    Mitigation:
    * Uninstall the ChatRoomDemo war file
    - or -
    * migrate to version 3.1.0 of the chat-room-demo war file

Version 3.0.1

  • CVEID: CVE-2018-1306

    DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

    Versions Affected:
    3.0.0

    Mitigation:
    * Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file
    - or -
    * migrate to version 3.0.1

  • CVEID: CVE-2015-1926

    DESCRIPTION: The Java Portlet Specification API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

    Versions Affected:
    2.0.0
    3.0.0

    Mitigation:
    * migrate to version 3.0.1