#VU18092 Prototype pollution in jQuery


Published: 2020-06-03

Vulnerability identifier: #VU18092

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11358

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
jQuery
Web applications / JS libraries

Vendor: The jQuery Team

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to prototype pollution. A remote attacker can trick the extend function can into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects and perform a denial of service (DoS) attack.

Mitigation
Update to version 3.4.0.

Vulnerable software versions

jQuery: 1.0.0 - 3.3.1

CPE

External links
http://github.com/jquery/jquery/pull/4333
http://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
http://snyk.io/vuln/SNYK-JS-JQUERY-174006

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Sterling B2B Integrator
Multiple vulnerabilities in Red Hat Single Sign-On 7.6
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 7
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 8
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 9
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for OpenShift
Multiple vulnerabilities in Tenable Nessus
Multiple vulnerabilities in IBM Process Mining
Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 9
Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 8