Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72474

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

    XMLWordPrintable

Details

    Description

      Issue Summary

      Jira system is currently using underscore.js 1.9.1. However, it is being affected due to CVE-2021-23358

      • The package underscore from 1.13.0-0 and before 1.13.0-2
      • From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

      Steps to Reproduce

      1. Install Jira Software 8.17 or below;

      Expected Results

      Have Jira using  underscore.js 1.13.1 or higher.

      Actual Results

      Jira is using underscore.js 1.9.1

      Workaround

      No workaround is available.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-74276 CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

          • Low - Low priority issues
          • Closed

          Public Security Vulnerability - JRASERVER-72643 Vulnerable version of Underscore.js used - CVE-2021-23358

          • Low - Low priority issues
          • Published
          is duplicated by

          MNSTR-5283 Loading...

          mentioned in

          Page Loading...

          relates to

          JPO-17397 Loading...

          Activity

            People

              cf7069360d7e Mateusz Witkowski
              e92f396700a6 Henrique Girardi (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: