6.1

CVE-2019-11358

Exploit

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Data is provided by the National Vulnerability Database (NVD)
JqueryJquery Version < 3.4.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
DrupalDrupal Version >= 7.0 < 7.66
DrupalDrupal Version >= 8.5.0 < 8.5.15
DrupalDrupal Version >= 8.6.0 < 8.6.15
BackdropcmsBackdrop Version >= 1.11.0 < 1.11.9
BackdropcmsBackdrop Version >= 1.12.0 < 1.12.6
FedoraprojectFedora Version28
FedoraprojectFedora Version29
FedoraprojectFedora Version30
OpensuseBackports Sle Version15.0 Updatesp1
OpensuseLeap Version15.1
NetappOncommand System Manager Version >= 3.0 <= 3.1.3
NetappSnapcenter Version-
RedhatCloudforms Version4.7
OracleApplication Express Version < 19.1
OracleApplication Testing Suite Version12.5.0.3
OracleApplication Testing Suite Version13.1.0.1
OracleApplication Testing Suite Version13.2.0.1
OracleApplication Testing Suite Version13.3.0.1
OracleBanking Enterprise Collections Version >= 2.7.0 <= 2.8.0
OracleBanking Platform Version >= 2.4.0 <= 2.10.0
OracleBi Publisher Version5.5.0.0.0
OracleBi Publisher Version12.2.1.3.0
OracleBi Publisher Version12.2.1.4.0
OracleBig Data Discovery Version1.6
OracleCommunications Analytics Version12.1.1
OracleCommunications Eagle Application Processor Version >= 16.1.0 <= 16.4.0
OracleCommunications Operations Monitor Version >= 4.1 <= 4.3
OracleDiagnostic Assistant Version2.12.36
OracleFinancial Services Data Foundation Version >= 8.0.4 <= 8.0.8
OracleFinancial Services Data Integration Hub Version >= 8.0.5 <= 8.0.7
OracleFinancial Services Funds Transfer Pricing Version >= 8.0.4 <= 8.0.7
OracleFusion Middleware Mapviewer Version12.2.1.3.0
OracleHealthcare Foundation Version7.1.1
OracleHealthcare Foundation Version7.2.0
OracleHealthcare Foundation Version7.2.2
OracleHealthcare Foundation Version7.3.0
OracleHospitality Guest Access Version4.2.0
OracleHospitality Guest Access Version4.2.1
OracleHospitality Simphony Version >= 19.1.0 <= 19.1.2
OracleHospitality Simphony Version18.1
OracleHospitality Simphony Version18.2
OracleIdentity Manager Version12.2.1.3.0
OracleInsurance Data Foundation Version >= 8.0.4 <= 8.0.7
OracleInsurance Insbridge Rating And Underwriting Version >= 5.0.0.0 <= 5.6.0.0
OracleJdeveloper Version11.1.1.9.0
OracleJdeveloper Version12.2.1.3.0
OracleJdeveloper Version12.2.1.4.0
OracleJdeveloper And Adf Version11.1.1.9.0
OracleJdeveloper And Adf Version12.1.3.0.0
OracleJdeveloper And Adf Version12.2.1.3.0
OracleKnowledge Version >= 8.6.0 <= 8.6.3
OraclePolicy Automation Version >= 12.2.0 <= 12.2.15
OraclePolicy Automation Version10.4.7
OraclePolicy Automation Version12.1.0
OraclePolicy Automation Version12.1.1
OraclePolicy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.15
OraclePrimavera Gateway Version >= 16.2.0 <= 16.2.11
OraclePrimavera Gateway Version >= 17.12.0 <= 17.12.7
OraclePrimavera Gateway Version >= 18.8.0 <= 18.8.9
OraclePrimavera Gateway Version >= 19.12.0 <= 19.12.4
OraclePrimavera Gateway Version15.2.18
OraclePrimavera Unifier Version >= 17.7 <= 17.12
OraclePrimavera Unifier Version16.1
OraclePrimavera Unifier Version16.2
OraclePrimavera Unifier Version18.8
OracleReal-time Scheduler Version >= 2.3.0.1 <= 2.3.0.3
OracleRest Data Services Version11.2.0.4 SwEdition-
OracleRest Data Services Version12.1.0.2 SwEdition-
OracleRest Data Services Version12.2.0.1 SwEdition-
OracleRest Data Services Version18c SwEdition-
OracleRest Data Services Version19c SwEdition-
OracleRetail Back Office Version14.0
OracleRetail Back Office Version14.1
OracleRetail Central Office Version14.0
OracleRetail Central Office Version14.1
OracleService Bus Version11.1.1.9.0
OracleService Bus Version12.1.3.0.0
OracleService Bus Version12.2.1.3.0
OracleSiebel Mobile Applications Version <= 19.8
OracleSiebel Ui Framework Version20.8
OracleSystem Utilities Version19.1
OracleTape Library Acsls Version8.5
OracleTape Library Acsls Version8.5.1
OracleUtilities Mobile Workforce Management Version >= 2.3.0.1 <= 2.3.0.3
OracleWebcenter Sites Version12.2.1.3.0
OracleWeblogic Server Version10.3.6.0.0
OracleWeblogic Server Version12.1.3.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
JoomlaJoomla! Version >= 3.0.0 <= 3.9.4
JuniperJunos Version21.2 Update-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.4% 0.845
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

http://seclists.org/fulldisclosure/2019/May/10
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2019/May/11
Patch
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2019/May/13
Patch
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2019/May/18
Patch
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2019/06/03/2
Patch
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/108023
Third Party Advisory
Broken Link
VDB Entry
https://github.com/jquery/jquery/pull/4333
Patch
Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/32
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2019/Jun/12
Third Party Advisory
Mailing List
Issue Tracking
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
Third Party Advisory
Exploit
https://www.drupal.org/sa-core-2019-006
Patch
Third Party Advisory