Details
-
Bug
-
Resolution: Fixed
-
High
-
8.11.0, 8.16.1
-
8.11
-
7
-
Severity 2 - Major
-
37
-
Description
Issue Summary
Jira system is currently using underscore.js 1.9.1. However, it is being affected due to CVE-2021-23358
- The package underscore from 1.13.0-0 and before 1.13.0-2
- From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Steps to Reproduce
- Install Jira Software 8.17 or below;
Expected Results
Have Jira using underscore.js 1.13.1 or higher.
Actual Results
Jira is using underscore.js 1.9.1
Workaround
No workaround is available.
Attachments
Issue Links
- is related to
-
CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher
- Closed
-
JRASERVER-72643 Vulnerable version of Underscore.js used - CVE-2021-23358
- Published
- is duplicated by
-
MNSTR-5283 Loading...
- mentioned in
-
Page Loading...
- relates to
-
JPO-17397 Loading...