Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-79464

Mobile web: upgrade Underscore.js to 1.13.1 or higher

XMLWordPrintable

      Issue Summary

      The mobile web view in Confluence is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358

      The package underscore from 1.13.0-0 and before 1.13.0-2
      From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

      Steps to Reproduce

      1. Install Confluence 7.13.1 or below

      Expected Results

      Have Confluence using underscore.js 1.13.1 or higher.

      Actual Results

      The mobile web view in Confluence is using underscore.js 1.3.3 which is affected.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

          Form Name

            [CONFSERVER-79464] Mobile web: upgrade Underscore.js to 1.13.1 or higher

            James Whitehead added a comment -

            A fix for this issue is available in Confluence Server and Data Center 7.20.0.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Server and Data Center 7.20.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

              b671dbb3cc53 Navaz Sayyed (Inactive)
              dmark@atlassian.com Danny (Inactive)
              Affected customers:
              2 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: