Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.13.12, 7.19.5, 8.0.0
Affects Version/s: 7.13.1
Component/s: Security
Labels:

Support reference count:
2
Symptom Severity:
Severity 2 - Major
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Atlassian Notifications is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Confluence 7.13.1 or below

Expected Results

Have Confluence using underscore.js 1.13.1 or higher.

Actual Results

Notifications in Confluence is using underscore.js 1.3.3 which is affected.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

Attachments

Issue Links

is cloned from

CONFSERVER-79462 UPM: upgrade Underscore.js to 1.13.1 or higher

Closed

was cloned as

CONFSERVER-79464 Mobile web: upgrade Underscore.js to 1.13.1 or higher

Closed

follows: VULN-853324 Loading...

links to

Link to PR

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Navaz Sayyed (Inactive)

Reporter:: Danny (Inactive)

Votes:: 3 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Due:: 09/Jan/2023

Created:: 04/Jul/2022 12:07 AM

Updated:: 31/May/2023 12:48 PM

Resolved:: 05/Dec/2022 1:06 AM