Allele Security Alert
ASA-2019-00311
Identifier(s)
ASA-2019-00311, CVE-2019-11358
Title
jQuery Prototype pollution
Vendor(s)
Django Software Foundation
Product(s)
Django
Affected version(s)
Django 2.2 before version 2.2.2
Django 2.1 before version 2.1.9
Fixed version(s)
Django 2.2.2
Django 2.1.9
Proof of concept
Unknown
Description
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because ofObject.prototype pollution. If an unsanitized source object contained an enumerable __proto__property, it could extend the native Object.prototype.
The bundled version of jQuery used by the Django admin has been patched to allow for the select2library’s use of jQuery.extend().
Technical details
Unknown
Credits
Unknown
Reference(s)
Django security releases issued: 2.2.2, 2.1.9 and 1.11.21
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
Applied jQuery patch for CVE-2019-11358
https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
[2.2.x] Applied jQuery patch for CVE-2019-11358.
https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
[2.1.x] Applied jQuery patch for CVE-2019-11358.
https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
ASA-2019-00224 – JQUERY: OBJECT PROTOTYPE POLLUTION VULNERABILITY
https://allelesecurity.com/asa-2019-00224/
Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
https://seclists.org/oss-sec/2019/q2/138
CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
CVE-2019-11358
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 3, 2019