Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.13.6, 7.16.0, 7.17.0
Affects Version/s: 7.13.1
Component/s: Security
Labels:

Support reference count:
1
Symptom Severity:
Severity 2 - Major
UIS:
0
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Confluence 7.13.1 or below

Expected Results

Have Confluence using underscore.js 1.13.1 or higher.

Actual Results

Confluence is using underscore.js 1.10.2 which is affected.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

relates to

JRASERVER-72474 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

Closed

JRASERVER-72643 Vulnerable version of Underscore.js used - CVE-2021-23358

Published

was cloned as

CONFSERVER-79462 UPM: upgrade Underscore.js to 1.13.1 or higher

Closed

links to

Original (master branch) ticket on AsecJ > VULN

Assignee:: Bhanu Darisi (Inactive)

Reporter:: Danny (Inactive)

Votes:: 2 Vote for this issue

Watchers:: 23 Start watching this issue

Due:: 16/Feb/2022

Created:: 21/Oct/2021 11:57 AM

Updated:: 08/Aug/2022 3:34 PM

Resolved:: 22/Feb/2022 11:11 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Activity

People

Dates