Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-79465

Workbox: upgrade Underscore.js to 1.13.1 or higher

    XMLWordPrintable

Details

    Description

      Issue Summary

      Workbox host plugin in Confluence is currently using underscore.js 1.3.1. This is old enough to not be vulnerable to CVE-2021-23358, but it should be using the version provided by Confluence, not its own

      The package underscore from 1.13.0-0 and before 1.13.0-2
      From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

      Steps to Reproduce

      1. Install Confluence 7.13.1 or below

      Expected Results

      Have Confluence using underscore.js 1.13.1 or higher.

      Actual Results

      Workbox host plugin in Confluence is using underscore.js 1.3.1.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

      Attachments

        Issue Links

          is cloned from

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-79464 Mobile web: upgrade Underscore.js to 1.13.1 or higher

          • Low - Low priority issues
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              b671dbb3cc53 Navaz Sayyed (Inactive)
              dmark@atlassian.com Danny (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: