CVE-2019-11358 — MEDIUM (6.1)

Q: How severe is CVE-2019-11358?

CVE-2019-11358 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11358?

Check the references section above for vendor advisories and patch information. Affected products include: Jquery Jquery, Debian Debian Linux, Drupal Drupal, Backdropcms Backdrop, Fedoraproject Fedora.

Vulnerability Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Jquery	Jquery	< 3.4.0
Debian	Debian Linux	8.0
Drupal	Drupal	>= 7.0, < 7.66
Backdropcms	Backdrop	>= 1.11.0, < 1.11.9
Fedoraproject	Fedora	28
Opensuse	Backports Sle	15.0
Opensuse	Leap	15.1
Netapp	Oncommand System Manager	>= 3.0, <= 3.1.3
Netapp	Snapcenter	-
Redhat	Cloudforms	4.7
Redhat	Virtualization Manager	4.3
Oracle	Agile Product Lifecycle Management For Process	6.1
Oracle	Application Express	< 19.1
Oracle	Application Service Level Management	13.2.0.0
Oracle	Application Testing Suite	12.5.0.3
Oracle	Banking Digital Experience	18.1
Oracle	Banking Enterprise Collections	>= 2.7.0, <= 2.8.0
Oracle	Banking Platform	>= 2.4.0, <= 2.10.0
Oracle	Bi Publisher	5.5.0.0.0
Oracle	Big Data Discovery	1.6

Related Weaknesses (CWE)

CWE-1321

References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-DependenciesThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-ExecutionThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htmThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/May/10Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/May/11Mailing ListPatchThird Party Advisory
http://seclists.org/fulldisclosure/2019/May/13Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/03/2Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/108023Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:1570Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1456Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2587Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3023Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3024Third Party Advisory

FAQ

What is CVE-2019-11358?

CVE-2019-11358 is a vulnerability with a CVSS score of 6.1 (MEDIUM). jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an en...

How severe is CVE-2019-11358?

CVE-2019-11358 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11358?

Check the references section above for vendor advisories and patch information. Affected products include: Jquery Jquery, Debian Debian Linux, Drupal Drupal, Backdropcms Backdrop, Fedoraproject Fedora.