The following security issues have been identified and addressed:
Although there were no security vulnerabilities identified or fixed in the Apache Pluto source code itself, various third-party dependencies were updated due to known security vulnerabilities. For more information, refer to the Apache Pluto 3.1.2 Release Notes.
CVEID: CVE-2021-36737
DESCRIPTION: The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks.
Versions Affected:
3.0.0, 3.0.1, 3.1.0
Mitigation:
* Uninstall the v3-demo-portlet.war artifact
- or -
* Migrate to version 3.1.1 of the v3-demo-portlet.war artifact
CVEID: CVE-2021-36738
DESCRIPTION: The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks.
Versions Affected:
3.1.0
Mitigation:
* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact
- or -
* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact
CVEID: CVE-2021-36739
DESCRIPTION: The "first name" and "last name" fields of the Apache Pluto MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.
Versions Affected:
3.1.0
Mitigation:
* If a project was generated from the affected maven archetype using a command like the following:
mvn archetype:generate \ -DarchetypeGroupId=org.apache.portals.pluto.archetype \ -DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \ -DarchetypeVersion=3.1.0 \ -DgroupId=com.mycompany \ -DartifactId=com.mycompany.my.mvcbean.jsp.portlet
<span>${user.firstName} ${user.lastName}! </span>
<span>${mvc.encoders.html(user.firstName)} ${mvc.encoders.html(user.lastName)}! </span>
CVEID: CVE-2019-0186
DESCRIPTION: The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks.
Versions Affected:
3.0.0, 3.0.1
Mitigation:
* Uninstall the ChatRoomDemo war file
- or -
* migrate to version 3.1.0 of the chat-room-demo war file
CVEID: CVE-2018-1306
DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
Versions Affected:
3.0.0
Mitigation:
* Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1
CVEID: CVE-2015-1926
DESCRIPTION: The Java Portlet Specification API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
Versions Affected:
2.0.0
3.0.0
Mitigation:
* migrate to version 3.0.1