jquery is a JavaScript library. It makes things like HTML document traversal and manipulation, event handling, animation, and Ajax much simpler with an easy-to-use API that works across a multitude of browsers. Affected versions of this package are vulnerable to Prototype Pollution. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. Remediation A fix was pushed into the master branch but not yet published. Upstream patch: https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b https://github.com/jquery/jquery/pull/4333/commits/5a853bce2d047115ef6d2b8a7e8b18a7df126ec8 https://github.com/DanielRuf/snyk-js-jquery-174006?files=1 Upstream pull request: https://github.com/jquery/jquery/pull/4333 References: https://snyk.io/vuln/SNYK-JS-JQUERY-174006 https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/ https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385 https://hackerone.com/reports/454365 External References: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://www.drupal.org/sa-core-2019-006
Created js-jquery tracking bugs for this issue: Affects: fedora-all [bug 1701973] Created js-jquery1 tracking bugs for this issue: Affects: fedora-all [bug 1701974] Created js-jquery2 tracking bugs for this issue: Affects: fedora-all [bug 1701975] Created python-XStatic-jQuery tracking bugs for this issue: Affects: fedora-all [bug 1701976] Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: fedora-all [bug 1701977] Created python-tw2-jquery tracking bugs for this issue: Affects: fedora-all [bug 1701978] Created rubygem-jquery-rails tracking bugs for this issue: Affects: fedora-all [bug 1701979] Created rubygem-jquery-ui-rails tracking bugs for this issue: Affects: fedora-all [bug 1701980]
Created python-tw-jquery tracking bugs for this issue: Affects: epel-6 [bug 1701993] Created python-tw2-jquery tracking bugs for this issue: Affects: epel-6 [bug 1701994]
Created js-jquery tracking bugs for this issue: Affects: epel-7 [bug 1701996] Created js-jquery1 tracking bugs for this issue: Affects: epel-7 [bug 1701997]
Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: epel-7 [bug 1701998]
Created python-XStatic-jQuery tracking bugs for this issue: Affects: epel-7 [bug 1701999]
Created python-tw2-jquery tracking bugs for this issue: Affects: epel-7 [bug 1702000]
Created drupal7 tracking bugs for this issue: Affects: epel-all [bug 1702620] Affects: fedora-all [bug 1702619]
Two different CVE's assignments noticed: CVE-2019-11358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385 CVE-2019-5428: https://github.com/nodejs/security-wg/pull/507/commits/fd2867ae2c71687af968fd60d333acbacd24e6bb I had filed the flaw bug with CVE-2019-11358, Need confirmation from analysts about which one this is.
jQuery library provides a jQuery.extend() function which merge the content from two or more objects into a target object. Prior version 3.4.0 the extend() function doesn't validate properly the parameters sent to it, an attacker can leverage this weakness by using the __proto__ property on a well formatted input to create or inject new object properties, functions or cause unexpected behavior on the target application.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.2 zip Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456
Created python-XStatic-jQuery tracking bugs for this issue: Affects: openstack-rdo [bug 1729326] Created python-XStatic-jquery-ui tracking bugs for this issue: Affects: openstack-rdo [bug 1729327]
This vulnerability was addressed Red Hat Virtualization 4.3 package ovirt-engine-api-explorer via https://access.redhat.com/errata/RHBA-2019:1570
Statement: Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11358
This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2019:2587 https://access.redhat.com/errata/RHSA-2019:2587
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2019:3023
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:1325 https://access.redhat.com/errata/RHSA-2020:1325
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHBA-2020:0402 https://access.redhat.com/errata/RHBA-2020:0402
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:5581 https://access.redhat.com/errata/RHSA-2020:5581
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:7343 https://access.redhat.com/errata/RHSA-2022:7343
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049