CVE-2019-11358
low
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
3.5
Description
RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low)
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
jQuery 3.3.1 - Prototype Pollution & XSS Exploit
Source code queued for fetch โ refresh in a moment.
OS impact
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | python3-qrcode-core-5.1-12.module_el8.6.0+2737+7e73ea90.noarch.rpm |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 2.2.2-1 |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:1.31.2-1 |
| sid | Fixed | 1:1.31.2-1 |
| forky | Fixed | 1:1.31.2-1 |
| bullseye | Fixed | 1:1.31.2-1 |
| bookworm | Fixed | 1:1.31.2-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | jquery-rails | <>= 4.3.4 | >= 4.3.4 |
| Maven | org.webjars.npm:jquery | >=1.1.4,<3.4.0 | 3.4.0 |
| Packagist | maximebf/debugbar | <1.19.0 | 1.19.0 |
| npm | jquery | >=1.1.4,<3.4.0 | 3.4.0 |
| RubyGems | jquery-rails | <4.3.4 | 4.3.4 |
| NuGet | jQuery | >=1.1.4,<3.4.0 | 3.4.0 |
| PyPI | django | >=2.0a1,<2.1.9 | 2.1.9 |
| PyPI | django | >=2.2a1,<2.2.2 | 2.2.2 |
| Packagist | drupal/core | >=8.0.0,<8.5.15||>=8.6.0,<8.6.15 | 8.5.15 |
References
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11358
- https://github.com/maximebf/php-debugbar/issues/447
- https://github.com/jquery/jquery/pull/4333
- https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
- https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
- https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
- https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://seclists.org/bugtraq/2019/Apr/32
- https://seclists.org/bugtraq/2019/Jun/12
- https://seclists.org/bugtraq/2019/May/18
- https://www.tenable.com/security/tns-2020-02
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.