Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.0.0
Affects Version/s: 7.13.1
Component/s: Security
Labels:

Support reference count:
4
Symptom Severity:
Severity 2 - Major
UIS:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Confluence 7.13.1 or below

Expected Results

Have Confluence using underscore.js 1.13.1 or higher.

Actual Results

UPM in Confluence is using underscore.js 1.4.4 which is affected.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

Attachments

Issue Links

is cloned from

CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

Closed

was cloned as

CONFSERVER-79463 Notifications: upgrade Underscore.js to 1.13.1 or higher

Closed

follows: VULN-853325 Loading...

links to

https://bulldog.internal.atlassian.com/browse/BSP-4334

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Sumitra Sahu

Reporter:: Danny (Inactive)

Votes:: 3 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Due:: 04/Jan/2023

Created:: 04/Jul/2022 12:04 AM

Updated:: 05/Dec/2022 1:49 AM

Resolved:: 05/Dec/2022 1:06 AM