E92f396700a6JRASERVER-72474CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.8%
h3. Issue Summary
Jira system is currently usingย underscore.jsย 1.9.1. However, it is being affected due toย [CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358]
- The package underscore from 1.13.0-0 and before 1.13.0-2
- From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
h3. Steps to Reproduce
Install Jira Software 8.17 or below;
h3. Expected Results
Have Jira using ย underscore.jsย 1.13.1 or higher.
h3. Actual Results
Jira is usingย underscore.jsย 1.9.1
h3. Workaround
No workaround is available.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira data center | le | 8.11.0 | |
| jira data center | le | 8.16.1 | |
| jira data center | lt | 8.18.0 | |
| jira data center | lt | 8.13.10 | |
| jira data center | lt | 8.18.2 | |
| jira data center | lt | 8.19.0 |
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.8%