===================================================================== CERT-Renater Note d'Information No. 2022/VULN004 _____________________________________________________________________ DATE : 06/01/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Pluto ===================================================================== https://portals.apache.org/pluto/v311/release-notes.html _____________________________________________________________________ Release Notes - Pluto 3.1.1 Pluto version 3.1.1 is a release that mainly focuses on security related issues such as updating vulnerable third-party dependencies and fixing project CVEs. CVE [CVE-2021-36737] - XSS in V3 Demo Portlet [CVE-2021-36738] - XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet [CVE-2021-36739] - XSS vulnerability in the MVCBean JSP portlet maven archetype Bug [PLUTO-781] - PortletRequestDispatcherImpl forwards to incorrect path [PLUTO-782] - Default "tomcat" and "pluto" users are granted "manager-gui" role Task [PLUTO-786] - Upgrade to version Spring Framework 5.3.7 and Spring Security 5.5.1 due to CVE-2021-22112 and CVE-2021-22119 [PLUTO-787] - Migrate to Log4j 2.16.0 due to CVE-2019-17571 and CVE-2021-44228 [PLUTO-788] - Upgrade to Tomcat 8.5.69 due to multiple CVE issues [PLUTO-789] - Upgrade to commons-io-2.7 due to CVE-2021-29425 [PLUTO-790] - Upgrade to JUnit 4.13.1 due to CVE-2020-15250 [PLUTO-792] - Upgrade to taglibs-standard-impl-1.2.3 due to CVE-2015-0254 [PLUTO-794] - Downgrade to hibernate-validator-5.4.3.Final and validation-api-1.1.0.Final in order to conform to Java EE 7 [PLUTO-795] - Release Preparation 3.1.1 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================