4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.035 Low
EPSS
Percentile
91.6%
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Recent assessments:
ANHKWAR at May 16, 2022 7:23am UTC reported:
I don’t know what kind of expression is officially used, but it is a vulnerability that can change common objects.
When I tried it on the console, it became as follows.
Prepare the variables of test1 and test2, and assign the character string to the test of “proto” of test1.
Then, test2 will also display the character string assigned to test1.
I don’t know what the specifications are, but the same phenomenon occurs when using “proto” for the elements of the array.
If you assign {“admin”: 123456} to test [“__ proto__”], the admin property will be created in test, and only the assigned value will be entered (123456 in this example).
If you assign {“user”: 999999} to test [“user”], the user property will be created in test, and the assigned JSON itself will be entered.
———————————————————————————–+
Impact
Existing properties may be added or modified.
As a result, it can lead to DoS and remote code execution.
Also, changing properties can lead to logic evasion and privilege escalation.
First of all, I downloaded 3.3.1 and 3.4.1 to check the phenomenon.
<https://jquery.com/download/>
By using the verification code in the following article, we were able to confirm the operation of the vulnerability.
let a = $.extend(true, {}, JSON.parse(‘{”proto”: {“devMode”: true}}’))
console.log({}.devMode);
The result of console.log.
3.3.1
true
3.4.1
undefined
Confirmation of correction points
Since I was able to confirm the operation, I decided to confirm the correction points.
As I noticed, verification was added to see if the name was “proto”.
When I tried removing this validation, prototype pollution occurred.
I’m not familiar with javascript, so I can’t understand what I’m doing just by reading the source code.
Let’s actually look at the data handled in the process.
Since I was checking the contents of “name”, let’s see what the name is.
A lot came out.
After a little research, it looks like a jQuery function.
“Proto” is also included.
Since name contains “proto”, look for the place where you are using name as an element of the array and assigning it.
Since there were two places, I set console.log.
The results came out messed up so I filtered it.
It was the first place that used “proto”.
I made a pinpoint fix to show devMode and the content was nicely displayed.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 2
lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
seclists.org/fulldisclosure/2019/May/10
seclists.org/fulldisclosure/2019/May/11
seclists.org/fulldisclosure/2019/May/13
www.openwall.com/lists/oss-security/2019/06/03/2
www.securityfocus.com/bid/108023
access.redhat.com/errata/RHBA-2019:1570
access.redhat.com/errata/RHSA-2019:1456
access.redhat.com/errata/RHSA-2019:2587
access.redhat.com/errata/RHSA-2019:3023
access.redhat.com/errata/RHSA-2019:3024
access.redhat.com/security/cve/cve-2019-11358
backdropcms.org/security/backdrop-sa-core-2019-009
blog.jquery.com/2019/04/10/jquery-3-4-0-released
blog.jquery.com/2019/04/10/jquery-3-4-0-released/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
github.com/jquery/jquery/pull/4333
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E
lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E
lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E
lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E
lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E
lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E
lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E
lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E
lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E
lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
lists.debian.org/debian-lts-announce/2019/05/msg00006.html
lists.debian.org/debian-lts-announce/2019/05/msg00029.html
lists.debian.org/debian-lts-announce/2020/02/msg00024.html
lists.debian.org/debian-lts-announce/2023/08/msg00040.html
lists.fedoraproject.org/archives/list/[email protected]/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
lists.fedoraproject.org/archives/list/[email protected]/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/
lists.fedoraproject.org/archives/list/[email protected]/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
lists.fedoraproject.org/archives/list/[email protected]/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/
lists.fedoraproject.org/archives/list/[email protected]/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
lists.fedoraproject.org/archives/list/[email protected]/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/
lists.fedoraproject.org/archives/list/[email protected]/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
lists.fedoraproject.org/archives/list/[email protected]/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/
lists.fedoraproject.org/archives/list/[email protected]/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
lists.fedoraproject.org/archives/list/[email protected]/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/
lists.fedoraproject.org/archives/list/[email protected]/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
lists.fedoraproject.org/archives/list/[email protected]/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/
seclists.org/bugtraq/2019/Apr/32
seclists.org/bugtraq/2019/Jun/12
seclists.org/bugtraq/2019/May/18
security.netapp.com/advisory/ntap-20190919-0001
security.netapp.com/advisory/ntap-20190919-0001/
snyk.io/vuln/SNYK-JS-JQUERY-174006
supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1
www.debian.org/security/2019/dsa-4434
www.debian.org/security/2019/dsa-4460
www.drupal.org/sa-core-2019-006
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpujan2020.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/security-alerts/cpuoct2021.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery
www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
www.rapid7.com/db/vulnerabilities/jquery-cve-2019-11358/
www.synology.com/security/advisory/Synology_SA_19_19
www.tenable.com/security/tns-2019-08
www.tenable.com/security/tns-2020-02
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.035 Low
EPSS
Percentile
91.6%