Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 8.18.0, 8.13.10, 8.18.2, 8.19.0
Affects Version/s: 8.11.0, 8.16.1
Component/s: Infrastructure & Services - Application Lifecycle
Labels:

Introduced in Version:
8.11
Support reference count:
7
Symptom Severity:
Severity 2 - Major
UIS:
37
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Jira system is currently using underscore.js 1.9.1. However, it is being affected due to CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2
From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Steps to Reproduce

Install Jira Software 8.17 or below;

Expected Results

Have Jira using underscore.js 1.13.1 or higher.

Actual Results

Jira is using underscore.js 1.9.1

Workaround

No workaround is available.

is related to

CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

Closed

JRASERVER-72643 Vulnerable version of Underscore.js used - CVE-2021-23358

Published

is duplicated by: MNSTR-5283 Loading...

mentioned in: Page Loading...

relates to: JPO-17397 Loading...

Assignee:: Mateusz Witkowski

Reporter:: Henrique Girardi (Inactive)

Votes:: 5 Vote for this issue

Watchers:: 18 Start watching this issue

Created:: 02/Jun/2021 4:03 PM

Updated:: 11/Jul/2023 1:28 AM

Resolved:: 18/Aug/2021 10:24 AM