Attacker Value
Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2019-11358

Disclosure Date: April 20, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Add Assessment

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Low
Technical Analysis

I don’t know what kind of expression is officially used, but it is a vulnerability that can change common objects.

When I tried it on the console, it became as follows.

Prepare the variables of test1 and test2, and assign the character string to the test of “proto” of test1.

Then, test2 will also display the character string assigned to test1.

I don’t know what the specifications are, but the same phenomenon occurs when using “proto” for the elements of the array.

If you assign {“admin”: 123456} to test [“__ proto__”], the admin property will be created in test, and only the assigned value will be entered (123456 in this example).

If you assign {“user”: 999999} to test [“user”], the user property will be created in test, and the assigned JSON itself will be entered.

———————————————————————————–+
Impact
Existing properties may be added or modified.

As a result, it can lead to DoS and remote code execution.

Also, changing properties can lead to logic evasion and privilege escalation.


First of all, I downloaded 3.3.1 and 3.4.1 to check the phenomenon.

https://jquery.com/download/

By using the verification code in the following article, we were able to confirm the operation of the vulnerability.

https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/

let a = $.extend(true, {}, JSON.parse(‘{”proto”: {“devMode”: true}}’))
console.log({}.devMode);
The result of console.log.

3.3.1

true
3.4.1

undefined
Confirmation of correction points
Since I was able to confirm the operation, I decided to confirm the correction points.

As I noticed, verification was added to see if the name was “proto”.

When I tried removing this validation, prototype pollution occurred.

I’m not familiar with javascript, so I can’t understand what I’m doing just by reading the source code.

Let’s actually look at the data handled in the process.

Since I was checking the contents of “name”, let’s see what the name is.

A lot came out.

After a little research, it looks like a jQuery function.

Proto” is also included.

Since name contains “proto”, look for the place where you are using name as an element of the array and assigning it.

Since there were two places, I set console.log.

The results came out messed up so I filtered it.

It was the first place that used “proto”.

I made a pinpoint fix to show devMode and the content was nicely displayed.

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • backdropcms,
  • debian,
  • drupal,
  • fedoraproject,
  • joomla,
  • jquery,
  • juniper,
  • netapp,
  • opensuse,
  • oracle,
  • redhat

Products

  • agile product lifecycle management for process 6.1,
  • agile product lifecycle management for process 6.2.0.0,
  • agile product lifecycle management for process 6.2.1.0,
  • agile product lifecycle management for process 6.2.2.0,
  • agile product lifecycle management for process 6.2.3.0,
  • application express,
  • application service level management 13.2.0.0,
  • application service level management 13.3.0.0,
  • application testing suite 12.5.0.3,
  • application testing suite 13.1.0.1,
  • application testing suite 13.2,
  • application testing suite 13.2.0.1,
  • application testing suite 13.3,
  • application testing suite 13.3.0.1,
  • backdrop,
  • backports sle 15.0,
  • banking digital experience 18.1,
  • banking digital experience 18.2,
  • banking digital experience 18.3,
  • banking digital experience 19.1,
  • banking digital experience 19.2,
  • banking digital experience 20.1,
  • banking enterprise collections,
  • banking platform,
  • bi publisher 12.2.1.3.0,
  • bi publisher 12.2.1.4.0,
  • bi publisher 5.5.0.0.0,
  • big data discovery 1.6,
  • business process management suite 12.2.1.3.0,
  • business process management suite 12.2.1.4.0,
  • cloudforms 4.7,
  • communications analytics 12.1.1,
  • communications application session controller 3.8m0,
  • communications billing and revenue management 12.0,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5,
  • communications billing and revenue management 7.5.0.23.0,
  • communications diameter signaling router 8.0.0,
  • communications diameter signaling router 8.1,
  • communications diameter signaling router 8.2,
  • communications diameter signaling router 8.2.1,
  • communications eagle application processor,
  • communications element manager 8.1.1,
  • communications element manager 8.2.0,
  • communications element manager 8.2.1,
  • communications interactive session recorder,
  • communications operations monitor,
  • communications operations monitor 3.4,
  • communications operations monitor 4.0,
  • communications operations monitor 4.1.0,
  • communications services gatekeeper 7.0,
  • communications session report manager 8.1.1,
  • communications session report manager 8.2.0,
  • communications session report manager 8.2.1,
  • communications session route manager 8.1.1,
  • communications session route manager 8.2.0,
  • communications session route manager 8.2.1,
  • communications unified inventory management 7.3,
  • communications unified inventory management 7.4.0,
  • communications webrtc session controller 7.2,
  • debian linux 8.0,
  • debian linux 9.0,
  • diagnostic assistant 2.12.36,
  • drupal,
  • enterprise manager ops center 12.3.3,
  • enterprise manager ops center 12.4.0,
  • enterprise manager ops center 12.4.0.0,
  • enterprise session border controller 8.4,
  • fedora 28,
  • fedora 29,
  • fedora 30,
  • financial services analytical applications infrastructure,
  • financial services analytical applications reconciliation framework,
  • financial services analytical applications reconciliation framework 8.1.0,
  • financial services asset liability management,
  • financial services asset liability management 8.1.0,
  • financial services balance sheet planning 8.0.8,
  • financial services basel regulatory capital basic,
  • financial services basel regulatory capital basic 8.1.0,
  • financial services basel regulatory capital internal ratings based approach,
  • financial services basel regulatory capital internal ratings based approach 8.1.0,
  • financial services data foundation,
  • financial services data governance for us regulatory reporting,
  • financial services data integration hub,
  • financial services data integration hub 8.1.0,
  • financial services enterprise financial performance analytics 8.0.6,
  • financial services enterprise financial performance analytics 8.0.7,
  • financial services funds transfer pricing,
  • financial services funds transfer pricing 8.1.0,
  • financial services hedge management and ifrs valuations,
  • financial services hedge management and ifrs valuations 8.1.0,
  • financial services institutional performance analytics,
  • financial services institutional performance analytics 8.1.0,
  • financial services liquidity risk management 8.0.0.1.0,
  • financial services liquidity risk management 8.0.2,
  • financial services liquidity risk management 8.0.4.0.0,
  • financial services liquidity risk management 8.0.5.0.0,
  • financial services liquidity risk management 8.0.6,
  • financial services liquidity risk measurement and management 8.0.7,
  • financial services liquidity risk measurement and management 8.0.8,
  • financial services liquidity risk measurement and management 8.1.0,
  • financial services loan loss forecasting and provisioning,
  • financial services loan loss forecasting and provisioning 8.1.0,
  • financial services market risk measurement and management 8.0.5,
  • financial services market risk measurement and management 8.0.6,
  • financial services market risk measurement and management 8.0.8,
  • financial services price creation and discovery,
  • financial services profitability management,
  • financial services profitability management 8.1.0,
  • financial services regulatory reporting for de nederlandsche bank 8.0.4,
  • financial services regulatory reporting for european banking authority 8.0.6,
  • financial services regulatory reporting for european banking authority 8.0.7,
  • financial services regulatory reporting for us federal reserve,
  • financial services retail customer analytics,
  • financial services retail performance analytics 8.0.6,
  • financial services retail performance analytics 8.0.7,
  • financial services revenue management and billing 2.4.0.0,
  • financial services revenue management and billing 2.4.0.1,
  • fusion middleware mapviewer 12.2.1.3.0,
  • healthcare foundation 7.1.1,
  • healthcare foundation 7.2.0,
  • healthcare foundation 7.2.2,
  • healthcare foundation 7.3.0,
  • healthcare translational research 3.1.0,
  • healthcare translational research 3.2.1,
  • healthcare translational research 3.3.1,
  • healthcare translational research 3.3.2,
  • healthcare translational research 3.4.0,
  • hospitality guest access 4.2.0,
  • hospitality guest access 4.2.1,
  • hospitality materials control 18.1,
  • hospitality simphony,
  • hospitality simphony 18.1,
  • hospitality simphony 18.2,
  • identity manager 12.2.1.3.0,
  • insurance accounting analyzer 8.0.9,
  • insurance allocation manager for enterprise profitability 8.0.8,
  • insurance allocation manager for enterprise profitability 8.1.0,
  • insurance data foundation,
  • insurance ifrs 17 analyzer 8.0.6,
  • insurance ifrs 17 analyzer 8.0.7,
  • insurance insbridge rating and underwriting,
  • insurance insbridge rating and underwriting 5.6.1.0,
  • insurance performance insight 8.0.7,
  • jd edwards enterpriseone tools 9.2,
  • jdeveloper 11.1.1.9.0,
  • jdeveloper 12.2.1.3.0,
  • jdeveloper 12.2.1.4.0,
  • jdeveloper and adf 11.1.1.9.0,
  • jdeveloper and adf 12.1.3.0.0,
  • jdeveloper and adf 12.2.1.3.0,
  • joomla!,
  • jquery,
  • junos 21.2,
  • knowledge,
  • leap 15.1,
  • oncommand system manager,
  • peoplesoft enterprise peopletools 8.55,
  • peoplesoft enterprise peopletools 8.56,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • policy automation,
  • policy automation 10.4.7,
  • policy automation 12.1.0,
  • policy automation 12.1.1,
  • policy automation connector for siebel 10.4.6,
  • policy automation for mobile devices,
  • primavera gateway,
  • primavera gateway 15.2.18,
  • primavera unifier,
  • primavera unifier 16.1,
  • primavera unifier 16.2,
  • primavera unifier 18.8,
  • real-time scheduler,
  • rest data services 11.2.0.4,
  • rest data services 12.1.0.2,
  • rest data services 12.2.0.1,
  • rest data services 18c,
  • rest data services 19c,
  • retail back office 14.0,
  • retail back office 14.1,
  • retail central office 14.0,
  • retail central office 14.1,
  • retail customer insights 15.0,
  • retail customer insights 16.0,
  • retail customer management and segmentation foundation 18.0,
  • retail customer management and segmentation foundation 19.0,
  • retail point-of-service 14.0,
  • retail point-of-service 14.1,
  • retail returns management 14.0,
  • retail returns management 14.1,
  • service bus 11.1.1.9.0,
  • service bus 12.1.3.0.0,
  • service bus 12.2.1.3.0,
  • siebel mobile applications,
  • siebel ui framework 20.8,
  • snapcenter -,
  • storagetek tape analytics sw tool 2.3.0,
  • system utilities 19.1,
  • tape library acsls 8.5,
  • tape library acsls 8.5.1,
  • transportation management 1.4.3,
  • utilities mobile workforce management,
  • virtualization manager 4.3,
  • webcenter sites 12.2.1.3.0,
  • weblogic server 10.3.6.0.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0

Exploited in the Wild

Reported by:

References

Advisory
Miscellaneous

Additional Info

Technical Analysis