Bug 1701972 (CVE-2019-11358) - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
Summary: CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1701973 1701974 1701975 1701976 1701977 1701978 1701979 1701993 1701994 1701996 1701997 1701998 1701999 1702000 1713487 1713490 1714271 1714273 1714274 1714291 1729318 1729319 1729320 1729321 1729322 1729323 1729324 1729325 1729326 1729327 1701980 1702619 1702620 1713488 1713489 1713492 1714269 1714272 1734230 1734231 1734232 1735483 1735484 1741045 1753842
Blocks: 1702639
TreeView+ depends on / blocked
 
Reported: 2019-04-22 15:20 UTC by msiddiqu
Modified: 2019-10-10 15:39 UTC (History)
89 users (show)

Fixed In Version: jquery 3.4.0, drupal 7.66
Doc Type: If docs needed, set a value
Doc Text:
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
Clone Of:
Environment:
Last Closed: 2019-08-28 13:07:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1456 None None None 2019-06-11 15:32:39 UTC
Red Hat Product Errata RHSA-2019:2587 None None None 2019-09-05 05:25:16 UTC
Red Hat Product Errata RHSA-2019:3023 None None None 2019-10-10 15:38:52 UTC
Red Hat Product Errata RHSA-2019:3024 None None None 2019-10-10 15:39:01 UTC

Description msiddiqu 2019-04-22 15:20:04 UTC
jquery is a JavaScript library. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers. Affected versions of this package are vulnerable to Prototype Pollution. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. Remediation A fix was pushed into the master branch but not yet published.

Upstream patch:  

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://github.com/jquery/jquery/pull/4333/commits/5a853bce2d047115ef6d2b8a7e8b18a7df126ec8
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Upstream pull request:

https://github.com/jquery/jquery/pull/4333

References: 

https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/
https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385
https://hackerone.com/reports/454365


External References: 

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://www.drupal.org/sa-core-2019-006

Comment 1 msiddiqu 2019-04-22 15:21:13 UTC
Created js-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1701973]


Created js-jquery1 tracking bugs for this issue:

Affects: fedora-all [bug 1701974]


Created js-jquery2 tracking bugs for this issue:

Affects: fedora-all [bug 1701975]


Created python-XStatic-jQuery tracking bugs for this issue:

Affects: fedora-all [bug 1701976]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: fedora-all [bug 1701977]


Created python-tw2-jquery tracking bugs for this issue:

Affects: fedora-all [bug 1701978]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-all [bug 1701979]


Created rubygem-jquery-ui-rails tracking bugs for this issue:

Affects: fedora-all [bug 1701980]

Comment 2 msiddiqu 2019-04-22 16:18:50 UTC
Created python-tw-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1701993]


Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-6 [bug 1701994]

Comment 3 msiddiqu 2019-04-22 16:23:26 UTC
Created js-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1701996]


Created js-jquery1 tracking bugs for this issue:

Affects: epel-7 [bug 1701997]

Comment 4 msiddiqu 2019-04-22 16:24:52 UTC
Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: epel-7 [bug 1701998]

Comment 5 msiddiqu 2019-04-22 16:26:03 UTC
Created python-XStatic-jQuery tracking bugs for this issue:

Affects: epel-7 [bug 1701999]

Comment 6 msiddiqu 2019-04-22 16:27:05 UTC
Created python-tw2-jquery tracking bugs for this issue:

Affects: epel-7 [bug 1702000]

Comment 7 msiddiqu 2019-04-24 09:43:57 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1702620]
Affects: fedora-all [bug 1702619]

Comment 8 msiddiqu 2019-04-24 10:21:29 UTC
Two different CVE's assignments noticed:

CVE-2019-11358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385
CVE-2019-5428: https://github.com/nodejs/security-wg/pull/507/commits/fd2867ae2c71687af968fd60d333acbacd24e6bb

I had filed the flaw bug with CVE-2019-11358, Need confirmation from analysts about which one this is.

Comment 15 Marco Benatto 2019-05-23 20:45:56 UTC
jQuery library provides a jQuery.extend() function which merge the content from two or more objects into a target object.
Prior version 3.4.0 the extend() function doesn't validate properly the parameters sent to it, an attacker can leverage
this weakness by using the __proto__ property on a well formatted input to create or inject new object properties, functions
or cause unexpected behavior on the target application.

Comment 22 errata-xmlrpc 2019-06-11 15:32:36 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.2 zip

Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456

Comment 23 Joshua Padman 2019-07-11 23:12:08 UTC
Created python-XStatic-jQuery tracking bugs for this issue:

Affects: openstack-rdo [bug 1729326]


Created python-XStatic-jquery-ui tracking bugs for this issue:

Affects: openstack-rdo [bug 1729327]

Comment 32 Doran Moppert 2019-08-14 07:01:13 UTC
This vulnerability was addressed Red Hat Virtualization 4.3 package ovirt-engine-api-explorer via https://access.redhat.com/errata/RHBA-2019:1570

Comment 33 Doran Moppert 2019-08-14 07:01:21 UTC
Statement:

Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.

Comment 35 Product Security DevOps Team 2019-08-28 13:07:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11358

Comment 36 errata-xmlrpc 2019-09-05 05:25:12 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:2587 https://access.redhat.com/errata/RHSA-2019:2587

Comment 39 errata-xmlrpc 2019-10-10 15:38:49 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2019:3023

Comment 40 errata-xmlrpc 2019-10-10 15:38:58 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024


Note You need to log in before you can comment on or make changes to this bug.