CVE-2019-11358
Prototype Pollution vulnerability in jquery
What is CVE-2019-11358 About?
This vulnerability is a Prototype Pollution issue in jQuery versions from 1.1.4 until 3.4.0, specifically in `jQuery.extend(true, {}, ...)`. If an attacker can inject an enumerable `__proto__` property into a source object, they can modify `Object.prototype`, leading to widespread object property modifications. Exploitation can enable various attacks like property injection or denial of service.
Affected Software
- jquery
- >1.1.4, <3.4.0
- jquery-rails
- <4.3.4
- jQuery
- >1.1.4, <3.4.0
- django
- >2.0a1, <2.1.9
- >2.2a1, <2.2.2
- org.webjars.npm:jquery
- >1.1.4, <3.4.0
- maximebf/debugbar
- <1.19.0
Technical Details
The vulnerability exists in jQuery versions 1.1.4 up to, but not including, 3.4.0. It is a Prototype Pollution issue arising from the `jQuery.extend(true, {}, ...)` function, which performs a deep merge of objects. The `true` parameter enables recursive merging. The core problem is that `jQuery.extend` does not properly sanitize source objects. If an attacker can supply an object that contains an enumerable property named `__proto__`, this property, when deeply merged, will be treated as a regular object property and its value will be merged into the `Object.prototype`. By injecting arbitrary properties into `Object.prototype`, an attacker can then cause these properties to appear on *all* plain JavaScript objects, leading to various unintended behaviors such as: overriding benign default values, injecting malicious code, or causing type confusion, which can then be leveraged for Cross-Site Scripting (XSS), privilege escalation, or Denial of Service attacks depending on the application context.
What is the Impact of CVE-2019-11358?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to property injection, data manipulation, unexpected application behavior, or remote code execution in severe cases.
What is the Exploitability of CVE-2019-11358?
Exploitation of this vulnerability can range from moderate to high complexity, depending on the desired impact and the application's specific use of `jQuery.extend`. An attacker needs to find an input vector where data they control is eventually deep-merged using the vulnerable `jQuery.extend(true, {}, ...)` function. This is typically achieved through JSON parsing, URL parameters, or other data deserialization methods. No authentication is inherently required if the vulnerable code path is reachable to unauthenticated users, such as via publicly accessible forms or API endpoints; however, authenticated contexts can also be vulnerable. No specific privileges are needed beyond being able to submit crafted data. This is predominantly a remote vulnerability. The high confidence of exploit presence indicates that the methods for triggering this behavior are well-understood. Risk factors include applications that deserialize untrusted user input and then perform deep merges with jQuery, or those using vulnerable versions of jQuery in components like Drupal or Backdrop CMS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| chrisneagu | Link | NOTICE This repository contains the public FTC SDK for the SKYSTONE (2019-2020) competition season. If you are looking for the current season's FTC SDK software, please visit the new and permanent... |
| DanielRuf | Link | patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428 |
| DanielRuf | Link | patches for SNYK-JS-JQUERY-565129, SNYK-JS-JQUERY-567880, CVE-2020-1102, CVE-2020-11023, includes the patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428 |
What are the Available Fixes for CVE-2019-11358?
About the Fix from Resolved Security
The patch adds a check in the jQuery.extend function to prevent copying properties named "__proto__", which stops attackers from injecting properties into Object.prototype via crafted input. This fixes CVE-2019-11358 by mitigating prototype pollution attacks that could let malicious code escalate privileges or alter application behavior by tampering with object prototypes.
Available Upgrade Options
- django
- >2.0a1, <2.1.9 → Upgrade to 2.1.9
- django
- >2.2a1, <2.2.2 → Upgrade to 2.2.2
- jQuery
- >1.1.4, <3.4.0 → Upgrade to 3.4.0
- org.webjars.npm:jquery
- >1.1.4, <3.4.0 → Upgrade to 3.4.0
- jquery-rails
- <4.3.4 → Upgrade to 4.3.4
- maximebf/debugbar
- <1.19.0 → Upgrade to 1.19.0
- jquery
- >1.1.4, <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/
- https://www.debian.org/security/2019/dsa-4460
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E
- https://www.debian.org/security/2019/dsa-4460
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
What are Similar Vulnerabilities to CVE-2019-11358?
Similar Vulnerabilities: CVE-2018-3721 , CVE-2020-8200 , CVE-2020-28283 , CVE-2020-28284 , CVE-2020-28286
