CVE-2019-11358
MEDIUMCVSS 6.1/10EPSS 87.22%
Last modified
CVE-2019-11358 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.. EPSS estimates a 87.22% chance of exploitation in the next 30 days.
Description
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Jquery | Jquery | < 3.4.0 | — |
| Debian | Debian Linux | 8.0 | — |
| Debian | Debian Linux | 9.0 | — |
| Debian | Debian Linux | 10.0 | — |
| Drupal | Drupal | >= 7.0, < 7.66 | — |
| Drupal | Drupal | >= 8.5.0, < 8.5.15 | — |
| Drupal | Drupal | >= 8.6.0, < 8.6.15 | — |
| Backdropcms | Backdrop | >= 1.11.0, < 1.11.9 | — |
| Backdropcms | Backdrop | >= 1.12.0, < 1.12.6 | — |
| Fedoraproject | Fedora | 28 | — |
| Fedoraproject | Fedora | 29 | — |
| Fedoraproject | Fedora | 30 | — |
| Opensuse | Backports Sle | 15.0 | Sp1 |
| Opensuse | Leap | 15.1 | — |
| Netapp | Oncommand System Manager | >= 3.0, <= 3.1.3 | — |
| Netapp | Snapcenter | All versions | — |
| Redhat | Cloudforms | 4.7 | — |
| Redhat | Virtualization Manager | 4.3 | — |
| Oracle | Agile Product Lifecycle Management For Process | 6.1 | — |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.0.0 | — |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.1.0 | — |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.2.0 | — |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.3.0 | — |
| Oracle | Application Express | < 19.1 | — |
| Oracle | Application Service Level Management | 13.2.0.0 | — |
| Oracle | Application Service Level Management | 13.3.0.0 | — |
| Oracle | Application Testing Suite | 12.5.0.3 | — |
| Oracle | Application Testing Suite | 13.1.0.1 | — |
| Oracle | Application Testing Suite | 13.2 | — |
| Oracle | Application Testing Suite | 13.2.0.1 | — |
| Oracle | Application Testing Suite | 13.3 | — |
| Oracle | Application Testing Suite | 13.3.0.1 | — |
| Oracle | Banking Digital Experience | 18.1 | — |
| Oracle | Banking Digital Experience | 18.2 | — |
| Oracle | Banking Digital Experience | 18.3 | — |
| Oracle | Banking Digital Experience | 19.1 | — |
| Oracle | Banking Digital Experience | 19.2 | — |
| Oracle | Banking Digital Experience | 20.1 | — |
| Oracle | Banking Enterprise Collections | >= 2.7.0, <= 2.8.0 | — |
| Oracle | Banking Platform | >= 2.4.0, <= 2.10.0 | — |
| Oracle | Bi Publisher | 5.5.0.0.0 | — |
| Oracle | Bi Publisher | 12.2.1.3.0 | — |
| Oracle | Bi Publisher | 12.2.1.4.0 | — |
| Oracle | Big Data Discovery | 1.6 | — |
| Oracle | Business Process Management Suite | 12.2.1.3.0 | — |
| Oracle | Business Process Management Suite | 12.2.1.4.0 | — |
| Oracle | Communications Analytics | 12.1.1 | — |
| Oracle | Communications Application Session Controller | 3.8m0 | — |
| Oracle | Communications Billing And Revenue Management | 7.5 | — |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 | — |
Showing 50 of 218 affected configurations. See NVD for the full list.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.htmlThird Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.htmlThird Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htmlThird Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2019/May/10Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2019/May/11Mailing List, Patch, Third Party Advisory
- http://seclists.org/fulldisclosure/2019/May/13Mailing List, Patch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/03/2Mailing List, Patch, Third Party Advisory
- http://www.securityfocus.com/bid/108023Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHBA-2019:1570Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1456Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2587Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3023Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3024Third Party Advisory
- https://backdropcms.org/security/backdrop-sa-core-2019-009Third Party Advisory
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/Release Notes, Vendor Advisory
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1bPatch, Third Party Advisory
- https://github.com/jquery/jquery/pull/4333Patch, Third Party Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00006.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00029.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00024.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Apr/32Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Jun/12Issue Tracking, Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/May/18Mailing List, Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190919-0001/Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006Exploit, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4434Third Party Advisory
- https://www.debian.org/security/2019/dsa-4460Third Party Advisory
- https://www.drupal.org/sa-core-2019-006Patch, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/Patch, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
- https://www.tenable.com/security/tns-2019-08Third Party Advisory
- https://www.tenable.com/security/tns-2020-02Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.htmlThird Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.htmlThird Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htmlThird Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2019/May/10Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2019/May/11Mailing List, Patch, Third Party Advisory
- http://seclists.org/fulldisclosure/2019/May/13Mailing List, Patch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/03/2Mailing List, Patch, Third Party Advisory
- http://www.securityfocus.com/bid/108023Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHBA-2019:1570Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:1456Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2587Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3023Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3024Third Party Advisory
- https://backdropcms.org/security/backdrop-sa-core-2019-009Third Party Advisory
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/Release Notes, Vendor Advisory
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1bPatch, Third Party Advisory
- https://github.com/jquery/jquery/pull/4333Patch, Third Party Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00006.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00029.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00024.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Apr/32Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Jun/12Issue Tracking, Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/May/18Mailing List, Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190919-0001/Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006Exploit, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4434Third Party Advisory
- https://www.debian.org/security/2019/dsa-4460Third Party Advisory
- https://www.drupal.org/sa-core-2019-006Patch, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/Patch, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
- https://www.tenable.com/security/tns-2019-08Third Party Advisory
- https://www.tenable.com/security/tns-2020-02Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-11358?
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
How severe is CVE-2019-11358?
CVE-2019-11358 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 87.22% probability of exploitation in the next 30 days.
How do I fix CVE-2019-11358?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-11358?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST