The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x and 2.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability.
This week the library has received a security patch to address the issue, this week, three years after the last major security flaw discovered in its code.
JavaScript objects are like variables that can be used to store multiple values based on a predefined structure. Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.
An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.
Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.
The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack.
“This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. “
The experts demonstrated that exploiting the flaw attackers can assign themselves admin rights on a web app that uses the jQuery library code.
Fortunately, according to the experts, this prototype pollution issue is not exploitable for mass-attacks because the exploit code must be crafted for each specific target.
Web developers using jQuery JavaScript library for their applications are advised to update their projects to the latest jQuery version, v3.4.0.
“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” reads the blog post published by the jQuery team.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, jQuery JavaScript library )
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.