[JSDSERVER-15978] Injection org.webjars.npm:underscore Dependency in Jira Service Management Data Center and Server

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High
Fix Version/s: 10.3.1
Affects Version/s: 5.4.0, (49)
5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.12.0, 5.4.11, 5.4.12, 5.12.1, 5.4.13, 5.4.14, 5.4.15, 5.12.2, 5.4.16, 5.12.3, 5.4.17, 5.12.4, 5.4.18, 5.12.6, 5.4.19, 5.12.5, 5.4.20, 5.12.7, 5.4.21, 5.12.8, 5.4.22, 5.12.9, 5.12.12, 5.4.23, 5.12.10, 5.12.11, 5.4.24, 5.4.25, 5.4.26, 5.12.13, 5.4.27, 5.12.14, 10.3.0, 5.4.28, 5.4.29, 5.12.15, 5.12.16, 5.4.30, 5.12.17
Component/s: None
Labels:
None

CVSS Score:
7.2
CVSS Severity:
High
CVE ID:
CVE-2021-23358
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerability Classes:

Injection
Affected Product(s):

Jira Service Management Data Center, Jira Service Management Server

This High severity org.webjars.npm:underscore Dependency vulnerability was introduced in versions 5.4, 5.12 and 10.3.0 of Jira Service Management Data Center and Server.

This org.webjars.npm:underscore Dependency vulnerability, with a CVSS Score of 7.2 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H allows arbitrary code injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Jira Service Management Data Center and Server 5.4, 5.12 and 10.3: Upgrade to a release greater than or equal to 10.3.1

See the release notes (https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html). You can download the latest version of Jira Service Management Data Center and Server from the download center (https://www.atlassian.com/software/jira/service-management/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Note: To mitigate CVE-2021-23358, we upgraded our provided dependency consumption of underscore.js from jira to explicitly consume 1.13.7 (jira/api/underscore-1.13, jira-frontend-api:underscore-1.13) in our latest security and bug fix releases, which are noted as fixed releases above. Moving to one of the fixed versions will stop security scanners from detecting this CVE in those releases.

We also want to share that Jira Service Management DC does not utilise underscore.js in a way that makes any versions vulnerable to this CVE. More specifically we don’t utilise the vulnerable template function in any version of JSMDC. Versions not listed as fixed are not vulnerable to this CVE but may receive alerts from scanners.

mentioned in: Page Failed to load; Page Failed to load

Form Name

Alec Bignell added a comment - 28/Jan/2025 12:01 AM

Hey all I have updated the summary of the ticket, please note that whilst versions < 10.3.1 are using a version of underscore.js where CVE-2021-23358 is present, no version of JSM utilises underscore.js in a way that exposes this vulnerability.

Despite the version bump not being a major version, the bump did come with a couple of breaking changes which caused some bugs in JSM 10.3.1, these have since been fixed in 10.3.2 and 10.3.3.

It is too risky to backport this to the previous LTS and it isn't necessary given 5.12 isn't impacted by the vulnerability.

Alec Bignell added a comment - 28/Jan/2025 12:01 AM Hey all I have updated the summary of the ticket, please note that whilst versions < 10.3.1 are using a version of underscore.js where CVE-2021-23358 is present, no version of JSM utilises underscore.js in a way that exposes this vulnerability. Despite the version bump not being a major version, the bump did come with a couple of breaking changes which caused some bugs in JSM 10.3.1, these have since been fixed in 10.3.2 and 10.3.3. It is too risky to backport this to the previous LTS and it isn't necessary given 5.12 isn't impacted by the vulnerability.

Fatma Rhimi added a comment - 22/Jan/2025 2:58 PM

Hello,

Why is this CVE not appearing in the last Security bulletin please? According to the bulletin, version 5.12.15 is a fix version, while in this ticket it is an affect version and we should upgrade to 10.3.1?

Thanks

Fatma Rhimi added a comment - 22/Jan/2025 2:58 PM Hello, Why is this CVE not appearing in the last Security bulletin please? According to the bulletin, version 5.12.15 is a fix version, while in this ticket it is an affect version and we should upgrade to 10.3.1? Thanks

Benjamin W. added a comment - 22/Jan/2025 5:26 AM

Interestingly, on Jan 21th evening (German time) upon release of the January Security Bulletin, this CVE-2021-23358 was listed for JSM.

Now on Jan 22th morning (German time) checking the Januar Security Bulletin again, CVE-2021-23358 has been replaced by CVE-2024-47561 (which is the same one as for Jira and Confluence).

CVE-2021-23358 is not listed any more in the Bulletin.

has this been updated as for CVE-2021-23358 there is no fix for the 5.12-LTS stream?

Benjamin W. added a comment - 22/Jan/2025 5:26 AM Interestingly, on Jan 21th evening (German time) upon release of the January Security Bulletin, this CVE-2021-23358 was listed for JSM. Now on Jan 22th morning (German time) checking the Januar Security Bulletin again, CVE-2021-23358 has been replaced by CVE-2024-47561 (which is the same one as for Jira and Confluence). CVE-2021-23358 is not listed any more in the Bulletin. has this been updated as for CVE-2021-23358 there is no fix for the 5.12-LTS stream?

Edgar Koenig - SVA added a comment - 21/Jan/2025 6:34 PM

Hi,

when will this high risk CVE be fixed for the LTS release 5.12?

Edgar Koenig - SVA added a comment - 21/Jan/2025 6:34 PM Hi, when will this high risk CVE be fixed for the LTS release 5.12?

Zeerak Khurshid added a comment - 21/Jan/2025 6:13 PM - edited

Mitigation efforts state if we are unable to do upgrade to 10.3.1 or 10.3.2, we can upgrade our instance to one of the specified supported fixed versions:

Jira Service Management Data Center and Server 5.4, 5.12 and 10.3: Upgrade to a release greater than or equal to 10.3.1

However, 10.3.2 and 5.12.17 came out on the same day (January 8, 2025) but v5.12.17 is listed as an affected version.

Please advise.

Zeerak Khurshid added a comment - 21/Jan/2025 6:13 PM - edited Mitigation efforts state if we are unable to do upgrade to 10.3.1 or 10.3.2, we can upgrade our instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 5.4, 5.12 and 10.3: Upgrade to a release greater than or equal to 10.3.1 However, 10.3.2 and 5.12.17 came out on the same day (January 8, 2025) but v5.12.17 is listed as an affected version. Please advise.

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Alec Bignell added a comment - 28/Jan/2025 12:01 AM

Expand comment: Alec Bignell added a comment - 28/Jan/2025 12:01 AM

Collapse comment: Fatma Rhimi added a comment - 22/Jan/2025 2:58 PM

Expand comment: Fatma Rhimi added a comment - 22/Jan/2025 2:58 PM

Collapse comment: Benjamin W. added a comment - 22/Jan/2025 5:26 AM

Expand comment: Benjamin W. added a comment - 22/Jan/2025 5:26 AM

Collapse comment: Edgar Koenig - SVA added a comment - 21/Jan/2025 6:34 PM

Expand comment: Edgar Koenig - SVA added a comment - 21/Jan/2025 6:34 PM

Collapse comment: Zeerak Khurshid added a comment - 21/Jan/2025 6:13 PM, Edited by Zeerak Khurshid - 21/Jan/2025 6:17 PM

Expand comment: Zeerak Khurshid added a comment - 21/Jan/2025 6:13 PM, Edited by Zeerak Khurshid - 21/Jan/2025 6:17 PM

People

Dates

Backbone Issue Sync