CVE-2019-11358

NameCVE-2019-11358
DescriptionjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1777-1, DLA-1797-1, DLA-2118-1, DSA-4434-1, DSA-4460-1
NVD severitymedium
Debian Bugs927330, 927385, 927466

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie7.32-1+deb8u12vulnerable
jessie (security)7.32-1+deb8u17fixed
stretch (security), stretch7.52-2+deb9u9fixed
jquery (PTS)jessie1.7.2+dfsg-3.2vulnerable
jessie (security)1.7.2+dfsg-3.2+deb8u7fixed
stretch3.1.1-2+deb9u1fixed
bullseye, sid, buster3.3.1~dfsg-3fixed
mediawiki (PTS)stretch (security), stretch1:1.27.7-1~deb9u3fixed
buster, buster (security)1:1.31.6-1~deb10u1fixed
bullseye, sid1:1.31.6-1fixed
node-jquery (PTS)buster2.2.4+dfsg-4fixed
bullseye, sid3.4.0+dfsg-1fixed
otrs2 (PTS)buster/non-free6.0.16-2vulnerable
sid/non-free, bullseye/non-free6.0.26-1fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
jessie3.3.18-1+deb8u4vulnerable
jessie (security)3.3.18-1+deb8u14fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7source(unstable)(unfixed)927330
drupal7sourcejessie7.32-1+deb8u17DLA-1797-1
drupal7sourcestretch7.52-2+deb9u8DSA-4434-1
jquerysource(unstable)3.3.1~dfsg-2927385
jquerysourcejessie1.7.2+dfsg-3.2+deb8u6DLA-1777-1
jquerysourcestretch3.1.1-2+deb9u1
mediawikisource(unstable)1:1.31.2-1
mediawikisourcestretch1:1.27.7-1~deb9u1DSA-4460-1
node-jquerysource(unstable)2.2.4+dfsg-4927466
otrs2source(unstable)6.0.26-1
otrs2sourcejessie3.3.18-1+deb8u14DLA-2118-1

Notes

[buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
https://www.drupal.org/sa-core-2019-006
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://phabricator.wikimedia.org/T221739
https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
https://community.otrs.com/security-advisory-2020-05/

Search for package or bug name: Reporting problems