[CONFSERVER-79462] UPM: upgrade Underscore.js to 1.13.1 or higher

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.0.0
Affects Version/s: 7.13.1
Component/s: Security
Labels:

Support reference count:
4
Symptom Severity:
Severity 2 - Major
UIS:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Confluence 7.13.1 or below

Expected Results

Have Confluence using underscore.js 1.13.1 or higher.

Actual Results

UPM in Confluence is using underscore.js 1.4.4 which is affected.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

is cloned from

CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

Closed

was cloned as

CONFSERVER-79463 Notifications: upgrade Underscore.js to 1.13.1 or higher

Closed

follows: VULN-853325 Failed to load

links to

https://bulldog.internal.atlassian.com/browse/BSP-4334

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...

(1 mentioned in)

Form Name

James Whitehead added a comment - 05/Dec/2022 1:06 AM

A fix for this issue is available in Confluence Server and Data Center 8.0.0.
Upgrade now or check out the Release Notes to see what other issues are resolved.

James Whitehead added a comment - 05/Dec/2022 1:06 AM A fix for this issue is available in Confluence Server and Data Center 8.0.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

Sumitra Sahu (Inactive) added a comment - 29/Sep/2022 4:50 AM

Underscore.js updated in UPM-server in https://bulldog.internal.atlassian.com/browse/BSP-4334
and the release version bumped in Confluence as a part of the below Jira issue.
https://jira.atlassian.com/browse/CONFSRVDEV-24078

Sumitra Sahu (Inactive) added a comment - 29/Sep/2022 4:50 AM Underscore.js updated in UPM-server in https://bulldog.internal.atlassian.com/browse/BSP-4334 and the release version bumped in Confluence as a part of the below Jira issue. https://jira.atlassian.com/browse/CONFSRVDEV-24078

simon.r.martin added a comment - 08/Aug/2022 4:22 PM

I am still running on the old LTS version 7.4.17
Is this version affected? If so - is there a fix in LTS 7.4.*?

simon.r.martin added a comment - 08/Aug/2022 4:22 PM I am still running on the old LTS version 7.4.17 Is this version affected? If so - is there a fix in LTS 7.4.*?

Assignee:: Sumitra Sahu (Inactive)

Reporter:: Danny (Inactive)

Affected customers:: 3 This affects my team

Watchers:: 9 Start watching this issue

Created:: 04/Jul/2022 12:04 AM

Updated:: 05/Dec/2022 1:49 AM

Resolved:: 05/Dec/2022 1:06 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: James Whitehead added a comment - 05/Dec/2022 1:06 AM

Expand comment: James Whitehead added a comment - 05/Dec/2022 1:06 AM

Collapse comment: Sumitra Sahu (Inactive) added a comment - 29/Sep/2022 4:50 AM

Expand comment: Sumitra Sahu (Inactive) added a comment - 29/Sep/2022 4:50 AM

Collapse comment: simon.r.martin added a comment - 08/Aug/2022 4:22 PM

Expand comment: simon.r.martin added a comment - 08/Aug/2022 4:22 PM

People

Dates