CVE-2019-11358

NameCVE-2019-11358
DescriptionjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1777-1, DLA-1797-1, DLA-2118-1, DLA-3551-1, DSA-4434-1, DSA-4460-1, ELA-109-1
Debian Bugs927330, 927385, 927466

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie, jessie (lts)7.32-1+deb8u19fixed
stretch (security), stretch (lts), stretch7.52-2+deb9u18fixed
jquery (PTS)jessie, jessie (lts)1.7.2+dfsg-3.2+deb8u7fixed
stretch (security), stretch (lts), stretch3.1.1-2+deb9u2fixed
buster3.3.1~dfsg-3+deb10u1fixed
mediawiki (PTS)stretch (security)1:1.27.7-1+deb9u11fixed
stretch (lts), stretch1:1.27.7-1+deb9u13fixed
buster1:1.31.16-1+deb10u2fixed
buster (security)1:1.31.16-1+deb10u7fixed
bullseye (security), bullseye1:1.35.13-1~deb11u1fixed
bookworm (security), bookworm1:1.39.5-1~deb12u1fixed
sid, trixie1:1.39.6-1fixed
node-jquery (PTS)buster2.2.4+dfsg-4fixed
bullseye3.5.1+dfsg+~3.5.5-7fixed
sid, trixie, bookworm3.6.1+dfsg+~3.5.14-1fixed
otrs2 (PTS)jessie, jessie (lts)3.3.18-1+deb8u15fixed
stretch/non-free (security), stretch/non-free (lts), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free6.0.16-2vulnerable
buster/non-free (security)6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcewheezy(unfixed)end-of-life
drupal7sourcejessie7.32-1+deb8u17DLA-1797-1
drupal7sourcestretch7.52-2+deb9u8DSA-4434-1
drupal7source(unstable)(unfixed)927330
jquerysourcewheezy1.7.2+dfsg-1+deb7u1ELA-109-1
jquerysourcejessie1.7.2+dfsg-3.2+deb8u6DLA-1777-1
jquerysourcestretch3.1.1-2+deb9u1
jquerysource(unstable)3.3.1~dfsg-2927385
mediawikisourcewheezy(unfixed)end-of-life
mediawikisourcestretch1:1.27.7-1~deb9u1DSA-4460-1
mediawikisource(unstable)1:1.31.2-1
node-jquerysource(unstable)2.2.4+dfsg-4927466
otrs2sourcewheezy(unfixed)end-of-life
otrs2sourcejessie3.3.18-1+deb8u14DLA-2118-1
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.26-1

Notes

[stretch] - otrs2 <ignored> (Non-free not supported)
https://www.drupal.org/sa-core-2019-006
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://phabricator.wikimedia.org/T221739
https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
https://community.otrs.com/security-advisory-2020-05/

Search for package or bug name: Reporting problems