NodeJS/jquery/2.1.4
JavaScript library for DOM operations
https://www.npmjs.com/package/jquery
MIT
7 Security Vulnerabilities
Duplicate Advisory: jQuery Cross Site Scripting vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2020-23064
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
- https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
- https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
- https://github.com/advisories/GHSA-257q-pv89-v3xv
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- https://security.netapp.com/advisory/ntap-20230725-0003
- https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-jpcq-cgw6-v4j6. This link is maintained to preserve external references.
Original Description
Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options>
element.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
- https://nvd.nist.gov/vuln/detail/CVE-2019-11358
- https://github.com/advisories/GHSA-6c3j-c64m-qhgq
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://github.com/jquery/jquery/pull/4333
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://www.drupal.org/sa-core-2019-006
- https://access.redhat.com/errata/RHBA-2019:1570
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHSA-2019:2587
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/errata/RHSA-2019:3024
- https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/
- https://seclists.org/bugtraq/2019/Apr/32
- https://seclists.org/bugtraq/2019/Jun/12
- https://seclists.org/bugtraq/2019/May/18
- https://security.netapp.com/advisory/ntap-20190919-0001/
- https://www.debian.org/security/2019/dsa-4434
- https://www.debian.org/security/2019/dsa-4460
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
- https://www.synology.com/security/advisory/Synology_SA_19_19
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2020-02
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- http://www.openwall.com/lists/oss-security/2019/06/03/2
- http://www.securityfocus.com/bid/108023
- https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml
- https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1
- https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023
- https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
- https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
- https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released
- https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E
- https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://security.netapp.com/advisory/ntap-20190919-0001
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...)
because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__
property, it could extend the native Object.prototype
.
Potential XSS vulnerability in jQuery
- https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
- https://nvd.nist.gov/vuln/detail/CVE-2020-11022
- https://github.com/advisories/GHSA-gxr4-xjj5-5px2
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
- https://jquery.com/upgrade-guide/3.5/
- https://security.netapp.com/advisory/ntap-20200511-0006/
- https://www.drupal.org/sa-core-2020-002
- https://www.debian.org/security/2020/dsa-4693
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
- https://www.oracle.com/security-alerts/cpujul2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
- https://security.gentoo.org/glsa/202007-03
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
- https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E
- https://www.npmjs.com/advisories/1518
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
- https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
- https://www.tenable.com/security/tns-2020-10
- https://www.tenable.com/security/tns-2020-11
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
- https://www.tenable.com/security/tns-2021-02
- https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
- http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
- https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
- https://www.tenable.com/security/tns-2021-10
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E
- https://github.com/jquery/jquery/releases/tag/3.5.0
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml
Impact
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html()
, .append()
, and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround the issue without upgrading, adding the following to your code:
jQuery.htmlPrefilter = function( html ) {
return html;
};
You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Potential XSS vulnerability in jQuery
- https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
- https://nvd.nist.gov/vuln/detail/CVE-2020-11023
- https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
- https://jquery.com/upgrade-guide/3.5/
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- https://security.netapp.com/advisory/ntap-20200511-0006/
- https://www.drupal.org/sa-core-2020-002
- https://www.debian.org/security/2020/dsa-4693
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
- https://www.oracle.com/security-alerts/cpujul2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
- https://security.gentoo.org/glsa/202007-03
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
- https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@%3Cissues.hive.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
- https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@%3Ccommits.hive.apache.org%3E
- https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@%3Cdev.hive.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
- https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@%3Ccommits.felix.apache.org%3E
- https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@%3Cdev.felix.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
- https://www.tenable.com/security/tns-2021-02
- https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
- http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html
- https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
- https://www.tenable.com/security/tns-2021-10
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E
- https://github.com/jquery/jquery/releases/tag/3.5.0
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11023.yml
- https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-565440
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
- https://security.netapp.com/advisory/ntap-20230725-0003
- https://security.netapp.com/advisory/ntap-20200511-0006
- https://jquery.com/upgrade-guide/3.5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml
- https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
- https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
Impact
Passing HTML containing <option>
elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html()
, .append()
, and others) may execute untrusted code.
Patches
This problem is patched in jQuery 3.5.0.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY
option to sanitize the HTML string before passing it to a jQuery method.
References
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.
Cross-Site Scripting (XSS) in jquery
- https://nvd.nist.gov/vuln/detail/CVE-2015-9251
- https://github.com/advisories/GHSA-rmxg-73gg-4p98
- https://github.com/jquery/jquery/issues/2432
- https://github.com/jquery/jquery/pull/2588
- https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614
- https://www.npmjs.com/advisories/328
- https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2
- https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
- https://access.redhat.com/errata/RHSA-2020:0481
- https://access.redhat.com/errata/RHSA-2020:0729
- https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://seclists.org/bugtraq/2019/May/18
- https://security.netapp.com/advisory/ntap-20210108-0004/
- https://snyk.io/vuln/npm:jquery:20150627
- https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.tenable.com/security/tns-2019-08
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/105658
- https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450227
- https://github.com/jquery/jquery/issues/2432#issuecomment-403761229
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420
- https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377
- https://web.archive.org/web/20200227030101/http://www.securityfocus.com/bid/105658
- https://github.com/rails/jquery-rails/releases/tag/v4.2.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-9251.yml
Affected versions of jquery
interpret text/javascript
responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval
, even when the ajax request doesn't contain the dataType
option.
Recommendation
Update to version 3.0.0 or later.
Duplicate Advisory: Prototype Pollution in jquery
Duplicate Advisory
This advisory is a duplicate of GHSA-6c3j-c64m-qhgq. This link is maintained to preserve external references.
Original Description
Versions of jquery
prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object
causing changes in properties that will exist on all objects.
Recommendation
Upgrade to version 3.4.0 or later.
Cross-Site Scripting (XSS)
Jquery is a javascript library for DOM traversal and manipulation, event handling, animation, and Ajax.
When text/javascript responses are received from cross-origin ajax requests not containing the option dataType
, the result is executed in jQuery.globalEval
potentially allowing an attacker to execute arbitrary code on the origin.
60 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.1.0 | MIT | 5 | 2016-07-07 - 21:46 | almost 8 years |
3.0.0 | MIT | 5 | 2016-06-09 - 18:33 | almost 8 years |
3.2.1 | MIT | 5 | 2017-03-20 - 19:02 | about 7 years |
1.12.2 | MIT | 5 | 2016-03-17 - 17:45 | about 8 years |
3.3.0 | MIT | 5 | 2018-01-19 - 19:03 | over 6 years |
3.2.0 | MIT | 5 | 2017-03-16 - 21:30 | about 7 years |
3.3.1 | MIT | 5 | 2018-01-20 - 17:27 | over 6 years |
3.1.1 | MIT | 5 | 2016-09-22 - 22:32 | over 7 years |
1.11.2 | MIT | 7 | 2014-12-17 - 16:07 | over 9 years |
1.11.0-beta3 | MIT | 7 | 2014-01-06 - 19:57 | over 10 years |
1.11.0-rc1 | MIT | 7 | 2014-01-16 - 21:08 | over 10 years |
2.1.0-rc1 | MIT | 7 | 2014-01-17 - 22:47 | over 10 years |
1.11.0 | MIT | 7 | 2014-01-23 - 21:07 | over 10 years |
2.1.0 | MIT | 7 | 2014-01-23 - 21:12 | over 10 years |
2.1.0-beta2 | MIT | 7 | 2013-11-15 - 16:34 | over 10 years |
1.11.1-beta1 | MIT | 7 | 2014-03-24 - 17:25 | about 10 years |
2.1.1-rc1 | MIT | 7 | 2014-04-18 - 15:29 | about 10 years |
1.11.1-rc1 | MIT | 7 | 2014-04-18 - 15:40 | about 10 years |
2.1.1-rc2 | MIT | 7 | 2014-04-21 - 20:52 | about 10 years |
1.11.1-rc2 | MIT | 7 | 2014-04-21 - 21:12 | about 10 years |
2.1.1 | MIT | 7 | 2014-05-01 - 17:15 | about 10 years |
1.11.1 | MIT | 7 | 2014-05-01 - 18:05 | about 10 years |
1.9.1 | MIT | 7 | 2014-07-17 - 22:01 | almost 10 years |
2.1.2 | MIT | 7 | 2014-12-17 - 14:14 | over 9 years |
2.1.0-beta3 | MIT | 7 | 2013-12-20 - 22:53 | over 10 years |
2.1.1-beta1 | MIT | 7 | 2014-03-24 - 17:05 | about 10 years |
2.2.4 | MIT | 7 | 2016-05-20 - 17:26 | about 8 years |
1.11.3 | MIT | 7 | 2015-04-28 - 16:22 | about 9 years |
1.12.4 | MIT | 7 | 2016-05-20 - 17:19 | about 8 years |
1.12.3 | MIT | 7 | 2016-04-05 - 19:21 | about 8 years |
2.2.1 | MIT | 7 | 2016-02-22 - 19:12 | about 8 years |
2.1.4 | MIT | 7 | 2015-04-28 - 16:17 | about 9 years |
2.2.0 | MIT | 7 | 2016-01-08 - 20:03 | over 8 years |
2.1.3 | MIT | 7 | 2014-12-18 - 15:18 | over 9 years |
2.2.3 | MIT | 7 | 2016-04-05 - 19:27 | about 8 years |
2.2.2 | MIT | 7 | 2016-03-17 - 17:52 | about 8 years |
1.6.2 | MIT | 10 | 2011-07-06 - 16:13 | almost 13 years |
1.5.1 | MIT | 10 | 2011-03-19 - 07:19 | about 13 years |
1.6.3 | MIT | 9 | 2011-09-12 - 19:05 | over 12 years |
1.8.3 | MIT | 10 | 2012-12-01 - 00:03 | over 11 years |
1.8.2 | MIT | 10 | 2012-11-11 - 22:43 | over 11 years |
1.7.2 | MIT | 10 | 2012-05-01 - 11:14 | about 12 years |
1.7.3 | MIT | 10 | 2012-07-01 - 16:11 | almost 12 years |
3.0.0-beta1 | MIT | 6 | 2016-01-14 - 23:09 | over 8 years |
1.12.1 | MIT | 6 | 2016-02-22 - 19:08 | about 8 years |
3.0.0-alpha1 | MIT | 6 | 2015-07-13 - 19:26 | almost 9 years |
1.12.0 | MIT | 6 | 2016-01-08 - 19:58 | over 8 years |
3.0.0-rc1 | MIT | 6 | 2016-05-20 - 19:13 | about 8 years |
3.4.0 | MIT | 3 | 2019-04-10 - 19:53 | about 5 years |
3.4.1 | MIT | 3 | 2019-05-01 - 21:19 | about 5 years |
3.5.0 | MIT | 2020-04-10 - 15:41 | about 4 years | |
3.5.1 | MIT | 2020-05-04 - 22:50 | about 4 years | |
3.6.0 | MIT | 2021-03-02 - 17:12 | about 3 years | |
3.6.1 | MIT | 2022-08-26 - 17:54 | over 1 year | |
3.6.2 | MIT | 2022-12-13 - 14:58 | over 1 year | |
3.6.3 | MIT | 2022-12-20 - 21:34 | over 1 year | |
3.6.4 | MIT | 2023-03-08 - 15:32 | about 1 year | |
3.7.0 | MIT | 2023-05-11 - 18:32 | about 1 year | |
3.7.1 | MIT | 2023-08-28 - 13:39 | 9 months | |
4.0.0-beta | MIT | 2024-02-06 - 16:43 | 3 months |