ASA-2019-00224 – jQuery: Object Prototype Pollution Vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00224

Identifier(s)

ASA-2019-00224, CVE-2019-11358

Title

Object Prototype Pollution Vulnerability

Vendor(s)

The jQuery project

Product(s)

jQuery

Affected version(s)

jQuery versions prior to v3.4.0

Fixed version(s)

jQuery version v3.4.0

Proof of concept

Unknown

Description

It was discovered an object prototype pollution vulnerability in the jQuery, a JavaScript library.

JavaScript object is like a variable that can be used to store multiple values based on a predefined structure. A prototype is used to define an object’s default structure and default values; it is essential to specify an expected structure particularly when no value is set.

This vulnerability enables an attacker to modify a web application’s JavaScript object prototype. However, each exploitation must be fine-tuned individually for the specific target, hence requiring the attacker to have in-depth knowledge on how each web application works.

Technical details

Unknown

Credits

Unknown

Reference(s)

After three years of silence, a new jQuery prototype pollution vulnerability emerges once again
https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/

[SingCERT] Object Prototype Pollution Vulnerability (CVE-2019-11358) in jQuery
https://www.csa.gov.sg/singcert/news/advisories-alerts/object-prototype-pollution-vulnerability-in-jquery

Core: Prevent Object.prototype pollution for $.extend( true, … )
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Core: Prevent Object.prototype pollution for $.extend( true, … ) #4333
https://github.com/jquery/jquery/pull/4333

jQuery 3.4.0 Released
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2019-006
https://www.drupal.org/sa-core-2019-006

CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

CVE-2019-11358
https://nvd.nist.gov/vuln/detail/CVE-2019-11358

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 27, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.