Fluid Attacks Database

Description

Duplicate Advisory: Prototype Pollution in jquery

Duplicate Advisory

This advisory is a duplicate of GHSA-6c3j-c64m-qhgq. This link is maintained to preserve external references.

Original Description

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Recommendation

Upgrade to version 3.4.0 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.webjars.npm:jquery	<0	3.4.0
nuget	jquery	<0	3.4.0, 3.4.0
rubygems	jquery-rails	<0	3.4.0

Aliases

1. CVE-2019-54282. NVD-2019-54283. OSV-2019-54284. GCVE-2019-5428

References

1. https://github.com/jquery/jquery/pull/43332. https://hackerone.com/reports/4543653. https://blog.jquery.com/2019/04/10/jquery-3-4-0-released4. https://www.npmjs.com/advisories/796

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.