Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.0.0
Affects Version/s: 7.13.1
Component/s: Security
Labels:

Support reference count:
4
Symptom Severity:
Severity 2 - Major
UIS:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Confluence 7.13.1 or below

Expected Results

Have Confluence using underscore.js 1.13.1 or higher.

Actual Results

UPM in Confluence is using underscore.js 1.4.4 which is affected.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

is cloned from

CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

Closed

was cloned as

CONFSERVER-79463 Notifications: upgrade Underscore.js to 1.13.1 or higher

Closed

follows: VULN-853325 Loading...

links to

https://bulldog.internal.atlassian.com/browse/BSP-4334

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...

(1 mentioned in)

Assignee:: Sumitra Sahu (Inactive)

Reporter:: Danny (Inactive)

Votes:: 3 Vote for this issue

Watchers:: 9 Start watching this issue

Due:: 04/Jan/2023

Created:: 04/Jul/2022 12:04 AM

Updated:: 05/Dec/2022 1:49 AM

Resolved:: 05/Dec/2022 1:06 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Activity

People

Dates