Skip to main content

Search and Top Navigation

#15353 new bug ()

Opened September 18, 2019 06:03PM UTC

Last modified September 19, 2019 01:19AM UTC

Security bug reported with jquery ui 1.12

Reported by: scottdickerson Owned by:
Priority: minor Milestone: none
Component: ui.core Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:
Description

A flagged security exposure by our security scan tool

/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

This is due to your packaged version of jquery

Issue   1   of   2
Issue ID:	2df3ae9d-a1bc-e911-ac11-002590ac753d
Severity:	Medium
Status	New
Classification	Definitive
Location	/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact	Partial
Confidentiality Impact	Partial
Integrity Impact	Partial
Date Created	Monday, August 12, 2019
Last Updated	Monday, August 12, 2019
CVE	2015-9251
File:	
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name:	CVE-2015-9251
Description:	jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Resolution:	Upgrade To Version 3.0.0
URL:	
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
Issue   1   of   2   - Details
None
Issue   2   of   2
Issue ID:	2ef3ae9d-a1bc-e911-ac11-002590ac753d
Severity:	Medium
Status	New
Classification	Definitive
Location	/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Availability Impact	Partial
Confidentiality Impact	Partial
Integrity Impact	Partial
Date Created	Monday, August 12, 2019
Last Updated	Monday, August 12, 2019
CVE	2019-11358
File:	
/Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js
Name:	CVE-2019-11358
Description:	jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Resolution:	Upgrade To Version 3.4.0
URL:	
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Attachments (0)
Change History (1)

Changed September 19, 2019 01:19AM UTC by rjollos comment:1

description: A flagged security exposure by our security scan tool \ \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ This is due to your packaged version of jquery \ \ Issue 1 of 2 \ Issue ID: 2df3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2015-9251 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2015-9251 \ Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. \ Resolution: Upgrade To Version 3.0.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 \ Issue 1 of 2 - Details \ None \ Issue 2 of 2 \ Issue ID: 2ef3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2019-11358 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2019-11358 \ Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \ Resolution: Upgrade To Version 3.4.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ A flagged security exposure by our security scan tool \ {{{ \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ \ This is due to your packaged version of jquery \ \ Issue 1 of 2 \ Issue ID: 2df3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2015-9251 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2015-9251 \ Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. \ Resolution: Upgrade To Version 3.0.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 \ Issue 1 of 2 - Details \ None \ Issue 2 of 2 \ Issue ID: 2ef3ae9d-a1bc-e911-ac11-002590ac753d \ Severity: Medium \ Status New \ Classification Definitive \ Location /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Availability Impact Partial \ Confidentiality Impact Partial \ Integrity Impact Partial \ Date Created Monday, August 12, 2019 \ Last Updated Monday, August 12, 2019 \ CVE 2019-11358 \ File: \ /Users/scottsd/Documents/GitHub/analytics-service-library/env/lib/python3.7/site-packages/matplotlib/backends/web_backend/jquery-ui-1.12.1/external/jquery/jquery.js \ Name: CVE-2019-11358 \ Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. \ Resolution: Upgrade To Version 3.4.0 \ URL: \ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358 \ }}}