CVE-2019-11358

NameCVE-2019-11358
DescriptionjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1777-1, DLA-1797-1, DSA-4434-1, DSA-4460-1
NVD severitymedium (attack range: remote)
Debian Bugs927330, 927385, 927466

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie7.32-1+deb8u12vulnerable
jessie (security)7.32-1+deb8u17fixed
stretch7.52-2+deb9u8fixed
stretch (security)7.52-2+deb9u9fixed
jquery (PTS)jessie1.7.2+dfsg-3.2vulnerable
jessie (security)1.7.2+dfsg-3.2+deb8u7fixed
stretch3.1.1-2+deb9u1fixed
buster, sid3.3.1~dfsg-3fixed
mediawiki (PTS)stretch1:1.27.5-1~deb9u1vulnerable
stretch (security)1:1.27.7-1~deb9u1fixed
buster, sid1:1.31.2-1fixed
node-jquery (PTS)buster, sid2.2.4+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7source(unstable)(unfixed)medium927330
drupal7sourcejessie7.32-1+deb8u17mediumDLA-1797-1
drupal7sourcestretch7.52-2+deb9u8mediumDSA-4434-1
jquerysource(unstable)3.3.1~dfsg-2medium927385
jquerysourcejessie1.7.2+dfsg-3.2+deb8u6mediumDLA-1777-1
jquerysourcestretch3.1.1-2+deb9u1medium
mediawikisource(unstable)1:1.31.2-1medium
mediawikisourcestretch1:1.27.7-1~deb9u1mediumDSA-4460-1
node-jquerysource(unstable)2.2.4+dfsg-4medium927466

Notes

https://www.drupal.org/sa-core-2019-006
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://phabricator.wikimedia.org/T221739
https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html

Search for package or bug name: Reporting problems