CVE-2019-11358

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

References

https://www.drupal.org/sa-core-2019-006

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-JQUERY-174006

PatchThird Party Advisory

https://github.com/jquery/jquery/pull/4333

PatchThird Party Advisory

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

PatchThird Party Advisory

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Release NotesVendor Advisory

https://backdropcms.org/security/backdrop-sa-core-2019-009

Third Party Advisory

DSA-4434

Third Party Advisory

20190421 [SECURITY] [DSA 4434-1] drupal7 security update

Mailing ListThird Party Advisory

108023

Broken Link

[airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358

Mailing ListThird Party Advisory

[airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358

Mailing ListThird Party Advisory

[airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358

Mailing ListThird Party Advisory

[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358

Mailing ListThird Party Advisory

[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358

Mailing ListThird Party Advisory

[debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update

Mailing ListThird Party Advisory

FEDORA-2019-eba8e44ee6

Mailing ListThird Party Advisory

FEDORA-2019-1a3edd7e8a

Mailing ListThird Party Advisory

FEDORA-2019-7eaf0bbe7c

Mailing ListThird Party Advisory

FEDORA-2019-2a0ce0c58c

Mailing ListThird Party Advisory

FEDORA-2019-f563e66380

Mailing ListThird Party Advisory

FEDORA-2019-a06dffab1c

Mailing ListThird Party Advisory

20190509 dotCMS v5.1.1 Vulnerabilities

Mailing ListPatchThird Party Advisory

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

Third Party AdvisoryVDB Entry

20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Mailing ListPatchThird Party Advisory

20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Mailing ListPatchThird Party Advisory

20190510 dotCMS v5.1.1 Vulnerabilities

Mailing ListThird Party Advisory

[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update

Mailing ListThird Party Advisory

[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)

Mailing ListPatchThird Party Advisory

http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

Third Party AdvisoryVDB Entry

RHSA-2019:1456

Third Party Advisory

DSA-4460

Third Party Advisory

20190612 [SECURITY] [DSA 4460-1] mediawiki security update

Issue TrackingMailing ListThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

PatchThird Party Advisory

https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/

PatchThird Party Advisory

openSUSE-SU-2019:1839

Mailing ListThird Party Advisory

RHBA-2019:1570

Third Party Advisory

openSUSE-SU-2019:1872

Mailing ListThird Party Advisory

[roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js

Mailing ListThird Party Advisory

RHSA-2019:2587

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190919-0001/

Third Party Advisory

RHSA-2019:3023

Third Party Advisory

RHSA-2019:3024

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

PatchThird Party Advisory

[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities

Mailing ListThird Party Advisory

[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Mailing ListThird Party Advisory

[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Mailing ListThird Party Advisory

https://www.synology.com/security/advisory/Synology_SA_19_19

Third Party Advisory

[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html

Mailing ListThird Party Advisory

https://www.tenable.com/security/tns-2019-08

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html

Mailing ListThird Party Advisory

[debian-lts-announce] 20200224 [SECURITY] [DLA 2118-1] otrs2 security update

Mailing ListThird Party Advisory

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

Third Party AdvisoryVDB Entry

https://www.tenable.com/security/tns-2020-02

Third Party Advisory

N/A

PatchThird Party Advisory

[syncope-dev] 20200423 Jquery version on 2.1.x/2.0.x

Mailing ListThird Party Advisory

[flink-dev] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[flink-issues] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[flink-issues] 20200518 [jira] [Commented] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[flink-issues] 20200518 [jira] [Updated] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[flink-issues] 20200518 [jira] [Assigned] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[flink-issues] 20200520 [jira] [Closed] (FLINK-17675) Resolve CVE-2019-11358 from jquery

Mailing ListThird Party Advisory

[storm-dev] 20200708 [GitHub] [storm] Crim opened a new pull request #3305: [STORM-3553] Upgrade jQuery from 1.11.1 to 3.5.1

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

PatchThird Party Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

PatchThird Party Advisory

N/A

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

PatchThird Party Advisory

CvssV3 impact

BaseSeverity	MEDIUM
ConfidentialityImpact	LOW
AttackComplexity	LOW
Scope	CHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	LOW
PrivilegesRequired	NONE
BaseScore	6.1
VectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Version	3.1
UserInteraction	REQUIRED

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:M/Au:N/C:N/I:P/A:N
AccessVector	NETWORK
AccessComplexity	MEDIUM
Authentication	NONE
ConfidentialityImpact	NONE
IntegrityImpact	PARTIAL
AvailabilityImpact	NONE
BaseScore	4.3

Created by Yello

About Severity.io