Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Prototype Pollution vulnerability on jQuery < 3.4.0: Does it affect Django? #916
One of the reported vulnerabilities on jQuery prior to version 3.4.0 (CVE-2019-11358) has popped up in one of my open-source security scanners while I upgraded to Django 2.2.1. I downloaded Django's source code and it appears to be using jQuery v1.11.2.
The only js file I noticed uses the mentioned
Can anyone from the core development team validate whether this jQuery vulnerability affects Django in any way?
jQuery fix description:
Hi. Security questions are best handled via the email@example.com address.
You appear to have searched the code for the djangoproject.com website, rather than Django itself.
Django usage is quite basic. It does not directly use the
Django 2.2 ships jQuery 3.3.1, which was the latest release when the branch was tagged. We will update the jQuery version for Django 3.0.
We will investigate if any other action is needed.
As with all static files, if you wish override the provided version of jQuery, you may provide at alternate version, to be discovered first according to your