New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core: Prevent Object.prototype pollution for $.extend( true, ... ) #4333
Conversation
Imo security patches should be patch releases then for all affected versions (3.3, 3.x, 2.x). Do we really need a 3.4.0 release? |
I second @DanielRuf. A patch would allow a smoother update path without requiring everybody to wait for the (currently 13) unresolved issues to be resolved and then having to test if the minor version doesn't break anything... |
Short question: Was a CVE ID requested for this? |
I will be requesting that through the Node.js Security WG and update once we have it. |
Any ETA regarding the new version? |
If all goes well, it should be out within the next few days.
--
Michał Gołębiowski-Owczarek
|
@oliviernt you can maybe use these patches or try to create one with I have published some for the unmodified releases at https://github.com/DanielRuf/snyk-js-jquery-174006?files=1 I have also created a YARA rule for DevSecOps solutions if needed. We will probably patch the used versions in all our projects. |
This might be a stupid question, but is jquery-3.3.1.min impacted as well? |
@louissanchez84 all versions are impacted by this vuln. |
I have only created the patches for the latest releases of 1.x, 2.x and 3.x. The unminified releases can be patched with the same patch files and |
@DanielRuf Thank you for the quick response. |
jQuery 3.4.0 with the fix has been released: We don’t plan to backport the change ourselves to older release lines at this point. jQuery 3.0 has been released a few years ago already and older versions have a more serious CVE on them that we only fixed in jQuery 3.0 as someone might depend on the older behavior: |
CVE assigned: CVE-2019-5428 |
Side-note regarding the CVE(s)... Isn't CVE-2019-5428 a duplicate of CVE-2019-11358? If that's the case, @lirantal can you please get in touch with MITRE to mark it as duplicate? Thank you! |
5248 targets the vulnerability in jquery as the product, where-as 11358 targets a Drupal version (or component inside it) as an advisory. Not convinced they are duplicates though. |
Hello Liran,
Liran Tal writes:
5248 targets the vulnerability in jquery as the product, where-as 11358 targets a Drupal version (or component inside it) as an advisory. Not convinced they are duplicates though.
Can you please elaborate further why they are not duplicates?
(aren't they describing the same problem?)
Thanks!
|
I take it back. They do seem duplicates as the NVD report actually refers to jQuery and in short glance it seemed to be referring to Drupal. I'll contact them and update. |
CVE-2019-5428 does also not link the Snyk report directly. While CVE-2019-11358 does. I have linked CVE-2019-11358 as it contains more info. |
Assigning CNA for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5428 was HackerOne. |
Request logged at CVE Request 679060 |
Liran Tal writes:
Request logged at CVE Request 679060
Thank you Liran!
|
Hello Daniel,
we probably can't. These are sent as reply via (private) emails
to who submit update for CVE entries via the CVE form.
|
Ah ok. Not sure what this other number is (request? much higher number) but I'll wait and still use the CVE-2019-11358 in references as it contains the scores and the analysis is not pending . |
Update from MITRE ticket: CVE-2019-11358 will be the leading one and others will be mentioned and set as duplicates. Have a great weekend fellas! |
See jquery/jquery#4333 Fixes RM-18059
See jquery/jquery#4333 Fixes RM-18059
Closes jquerygh-4333 Signed-off-by: Benjamin Cutler <bcutler@pivotal.io>
Summary
Prevent Object.prototype pollution for
$.extend( true, ... )
Checklist