UBUNTU-CVE-2019-11358
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 20 Apr 2019, 00:29
Last modified:27 May 2026, 10:16
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
6.1 MEDIUM
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
20 Apr 2019, 00:29
Published
Vulnerability first disclosed
27 May 2026, 10:16
Last Modified
Vulnerability information updated
Description
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Systems
- ubuntu•drupal7
all
- ubuntu•jquery
< 1.7.2+dfsg-2ubuntu1+esm1 | < 1.11.3+dfsg-4ubuntu0.1~esm1 | < 3.2.1-1ubuntu0.1~esm1
- ubuntu•mediawiki
all | all | all | all | all | all | all
- ubuntu•node-jquery
all | all
- ubuntu•otrs2
all | all | all
References (9)
- https://ubuntu.com/security/CVE-2019-11358
- https://www.drupal.org/sa-core-2019-006
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://github.com/jquery/jquery/pull/4333
- https://www.cve.org/CVERecord?id=CVE-2019-11358
- https://ubuntu.com/security/notices/USN-7622-1