Bug 1701972 (CVE-2019-11358)

Summary: CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, apevec, ascheel, bbuckingham, bcourt, bkearney, bmcclain, btotty, chazlett, dajohnso, dbecker, dblechte, dfediuck, dmetzger, drieden, eedri, fche, gblomqui, gmccullo, gshereme, gtanzill, hhorak, hhudgeon, ipa-maint, janstey, jfearn, jfrey, jhardy, jjoyce, jochrist, jorton, jprause, jschluet, jsmith.fedora, kbasil, kdixon, lberk, lewk, lhh, lpeer, maschmid, mburns, mgoldboi, mgoodwin, michal.skrivanek, mmccune, mrunge, nathans, nobody, nodejs-sig, obarenbo, omachace, patrickm, pcp-maint, pdrozd, peter, puiterwijk, pvalena, pvoborni, python-maint, rbean, rchan, rcritten, rdlugyhe, rdopiera, rhcs-maint, Rhev-m-bugs, rhos-maint, rjerrido, roliveri, ruby-maint, sbonazzo, sclewis, security-response-team, sgratch, sherold, simaishi, sisharma, slavek.kabrda, slinaber, sthorger, stickster, strzibny, tlestach, tscherf, vbellur, vondruch, vszocs, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jquery 3.4.0, drupal 7.66 Doc Type: If docs needed, set a value
Doc Text:
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-28 13:07:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1701993, 1701994, 1701996, 1701997, 1701998, 1701999, 1702000, 1729318, 1729319, 1729320, 1729321, 1729322, 1729323, 1729324, 1729325, 1729326, 1729327, 1701973, 1701974, 1701975, 1701976, 1701977, 1701978, 1701979, 1701980, 1702619, 1702620, 1713487, 1713488, 1713489, 1713490, 1713492, 1714269, 1714271, 1714272, 1714273, 1714274, 1714291, 1734230, 1734231, 1734232, 1735483, 1735484, 1741045, 1753842    
Bug Blocks: 1702639    

Description msiddiqu 2019-04-22 15:20:04 UTC
jquery is a JavaScript library. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers. Affected versions of this package are vulnerable to Prototype Pollution. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. Remediation A fix was pushed into the master branch but not yet published.

Upstream patch:  

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://github.com/jquery/jquery/pull/4333/commits/5a853bce2d047115ef6d2b8a7e8b18a7df126ec8
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Upstream pull request:

https://github.com/jquery/jquery/pull/4333

References: 

https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/
https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385
https://hackerone.com/reports/454365


External References: 

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://www.drupal.org/sa-core-2019-006

Comment 1 msiddiqu 2019-04-22 15:21:13 UTC
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1701973]


Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1701974]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1701975]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: fedora-all [bug 1701976]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: fedora-all [bug 1701977]


Created python-tw2-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1701978]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1701979]


Created rubygem-jquery-ui-rails tracking bugs for this issue:

Affects: fedora-all [bug 1701980]

Comment 2 msiddiqu 2019-04-22 16:18:50 UTC
Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1701993]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1701994]

Comment 3 msiddiqu 2019-04-22 16:23:26 UTC
Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1701996]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1701997]

Comment 4 msiddiqu 2019-04-22 16:24:52 UTC
Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1701998]

Comment 5 msiddiqu 2019-04-22 16:26:03 UTC
Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1701999]

Comment 6 msiddiqu 2019-04-22 16:27:05 UTC
Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1702000]

Comment 7 msiddiqu 2019-04-24 09:43:57 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1702620]
Affects: fedora-all [bug 1702619]

Comment 8 msiddiqu 2019-04-24 10:21:29 UTC
Two different CVE's assignments noticed:

CVE-2019-11358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385
CVE-2019-5428: https://github.com/nodejs/security-wg/pull/507/commits/fd2867ae2c71687af968fd60d333acbacd24e6bb

I had filed the flaw bug with CVE-2019-11358, Need confirmation from analysts about which one this is.

Comment 15 Marco Benatto 2019-05-23 20:45:56 UTC
jQuery library provides a jQuery.extend() function which merge the content from two or more objects into a target object.
Prior version 3.4.0 the extend() function doesn't validate properly the parameters sent to it, an attacker can leverage
this weakness by using the __proto__ property on a well formatted input to create or inject new object properties, functions
or cause unexpected behavior on the target application.

Comment 22 errata-xmlrpc 2019-06-11 15:32:36 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.2 zip

Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456

Comment 23 Joshua Padman 2019-07-11 23:12:08 UTC
Created python-XStatic-jQuery tracking bugs for this issue:

Affects: openstack-rdo [bug 1729326]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: openstack-rdo [bug 1729327]

Comment 32 Doran Moppert 2019-08-14 07:01:13 UTC
This vulnerability was addressed Red Hat Virtualization 4.3 package ovirt-engine-api-explorer via https://access.redhat.com/errata/RHBA-2019:1570

Comment 33 Doran Moppert 2019-08-14 07:01:21 UTC
Statement:

Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.

Comment 35 Product Security DevOps Team 2019-08-28 13:07:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11358

Comment 36 errata-xmlrpc 2019-09-05 05:25:12 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:2587 https://access.redhat.com/errata/RHSA-2019:2587

Comment 39 errata-xmlrpc 2019-10-10 15:38:49 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2019:3023

Comment 40 errata-xmlrpc 2019-10-10 15:38:58 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024