CVE-2019-11358 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2019-11358

CVE-2019-11358

April 19, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Affected Packages

jquery (CDN_JS):

Affected version(s) =1.5.1 <1.5.2-jquery-1.5.4

Fix Suggestion:

Update to version 1.5.2-jquery-1.5.4

jquery (CDN_JS):

Affected version(s) >=1.6.1 <1.6.3-jquery-1.6.7

Fix Suggestion:

Update to version 1.6.3-jquery-1.6.7

jquery (CDN_JS):

Affected version(s) >=1.2.3 <3.4.0

Fix Suggestion:

Update to version 3.4.0

jquery (CDN_JS):

Affected version(s) >=1.12.0 <1.12.4-jquery-1.12.6

Fix Suggestion:

Update to version 1.12.4-jquery-1.12.6

jquery (CDN_JS):

Affected version(s) >=1.3.0 <1.3.2-jquery-1.3.3

Fix Suggestion:

Update to version 1.3.2-jquery-1.3.3

jquery (CDN_JS):

Affected version(s) >=1.7 <1.7.2-jquery-1.7.4

Fix Suggestion:

Update to version 1.7.2-jquery-1.7.4

jquery (CDN_JS):

Affected version(s) >=2.2.0 <2.2.4-jquery-2.2.6

Fix Suggestion:

Update to version 2.2.4-jquery-2.2.6

org.webjars.npm:jquery (JAVA):

Affected version(s) >=1.7.2 <3.4.0

Fix Suggestion:

Update to version 3.4.0

jquery (NPM):

Affected version(s) =1.7.2 <1.7.2-jquery-1.7.4

Fix Suggestion:

Update to version 1.7.2-jquery-1.7.4

jquery (NPM):

Affected version(s) >=1.5.1 <3.4.0

Fix Suggestion:

Update to version 3.4.0

jquery (NPM):

Affected version(s) =1.5.1 <1.5.2-jquery-1.5.4

Fix Suggestion:

Update to version 1.5.2-jquery-1.5.4

jquery (NPM):

Affected version(s) >=1.6.2 <1.6.3-jquery-1.6.7

Fix Suggestion:

Update to version 1.6.3-jquery-1.6.7

jquery (NPM):

Affected version(s) >=1.12.0 <1.12.4-jquery-1.12.6

Fix Suggestion:

Update to version 1.12.4-jquery-1.12.6

jquery (NPM):

Affected version(s) >=2.2.0 <2.2.4-jquery-2.2.6

Fix Suggestion:

Update to version 2.2.4-jquery-2.2.6

jquery (NUGET):

Affected version(s) >=1.4.1 <3.4.0

Fix Suggestion:

Update to version 3.4.0

django (PYTHON):

Affected version(s) >=2.2a1 <2.2.2

Fix Suggestion:

Update to version 2.2.2

django (PYTHON):

Affected version(s) >=2.0a1 <2.1.9

Fix Suggestion:

Update to version 2.1.9

jquery-rails (RUBY):

Affected version(s) >=0.1.1 <4.3.4

Fix Suggestion:

Update to version 4.3.4

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (119)

https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5

https://www.oracle.com/security-alerts/cpuApr2021.html

https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

https://access.redhat.com/errata/RHSA-2019:2587

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI

https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E

https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP

https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E

https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://security.netapp.com/advisory/ntap-20190919-0001/

http://www.securityfocus.com/bid/108023

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

https://www.debian.org/security/2019/dsa-4434

https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/

https://github.com/maximebf/php-debugbar/issues/447

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html

https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://www.debian.org/security/2019/dsa-4460

https://www.oracle.com/security-alerts/cpuapr2020.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F

https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA

https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad

https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html

https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

https://security-tracker.debian.org/tracker/CVE-2019-11358

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP

https://www.oracle.com/security-alerts/cpujul2020.html

https://github.com/jquery/jquery

https://access.redhat.com/errata/RHSA-2019:3024

https://seclists.org/bugtraq/2019/May/18

https://www.synology.com/security/advisory/Synology_SA_19_19

http://seclists.org/fulldisclosure/2019/May/10

https://www.oracle.com/security-alerts/cpujan2022.html

https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.tenable.com/security/tns-2019-08

https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2019-11358

https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E

https://access.redhat.com/security/cve/CVE-2019-11358

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/

https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E

http://seclists.org/fulldisclosure/2019/May/13

http://www.openwall.com/lists/oss-security/2019/06/03/2

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2020.html

https://access.redhat.com/errata/RHBA-2019:1570

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/

https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E

https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E

https://security.netapp.com/advisory/ntap-20190919-0001

https://www.oracle.com/security-alerts/cpujan2021.html

http://seclists.org/fulldisclosure/2019/May/11

https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E

https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1

https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f

https://www.tenable.com/security/tns-2020-02

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.drupal.org/sa-core-2019-006

https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E

https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434

https://www.djangoproject.com/weblog/2019/jun/03/security-releases

https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E

https://seclists.org/bugtraq/2019/Jun/12

https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E

https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829

https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI

https://access.redhat.com/errata/RHSA-2019:1456

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html

https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

https://github.com/jquery/jquery/pull/4333

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/

https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery

http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html

https://backdropcms.org/security/backdrop-sa-core-2019-009

https://access.redhat.com/errata/RHSA-2019:3023

https://seclists.org/bugtraq/2019/Apr/32

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

Exploit Maturity

POC

CVSS v3

Base Score:

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Exploit Maturity

PROOF-OF-CONCEPT

CVSS v2

Base Score:

4.3

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.84

Products

Solutions

Resources

Company

Compare

Developer Tools