ALT-BU-2019-3716-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2019-01542
Уязвимость функции jQuery.extend() библиотеки jQuery, позволяющая нарушителю вызвать отказ в обслуживании, выполнить произвольный JavaScript-код или повысить свои привилегии
BDU:2019-03562
Уязвимость компонента CMS веб-сайтов для совместной работы MediaWiki, связанная с межсайтовой фальсификацией запросов, позволяющая нарушителю оказать воздействие на целостность данных, получить несанкционированный доступ к защищаемой информации, а также вызвать отказ в обслуживании
BDU:2019-03563
Уязвимость функции Special:ChangeEmail программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2019-03617
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с возможностью обхода повторной аутентификации, позволяющая нарушителю оказать воздействие на целостность данных, получить несанкционированный доступ к защищаемой информации, а также вызвать отказ в обслуживании
BDU:2019-03618
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к информации
BDU:2019-03619
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к информации
BDU:2019-03620
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с возможностью загрузки пользовательского JavaScript кода из несуществующей учетной записи, позволяющая нарушителю нарушить целостность данных
BDU:2019-03621
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с недостатками контроля доступа, позволяющая нарушителю нарушить целостность данных
BDU:2019-03622
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с передачей недопустимых заголовков в API, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2019-04254
Уязвимость функции jQuery.extend (true, {}, ...) библиотеки jQuery, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
BDU:2020-02564
Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, связанная с передачей недопустимых заголовков в API, позволяющая нарушителю несанкционированный доступ к защищаемой информации
Modified: 2024-11-21
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
- openSUSE-SU-2019:1839
- openSUSE-SU-2019:1839
- openSUSE-SU-2019:1872
- openSUSE-SU-2019:1872
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- 20190510 dotCMS v5.1.1 Vulnerabilities
- 20190510 dotCMS v5.1.1 Vulnerabilities
- 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability
- 20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability
- 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability
- 20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability
- [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
- [oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
- 108023
- 108023
- RHBA-2019:1570
- RHBA-2019:1570
- RHSA-2019:1456
- RHSA-2019:1456
- RHSA-2019:2587
- RHSA-2019:2587
- RHSA-2019:3023
- RHSA-2019:3023
- RHSA-2019:3024
- RHSA-2019:3024
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://github.com/jquery/jquery/pull/4333
- https://github.com/jquery/jquery/pull/4333
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
- [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358
- [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js
- [roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js
- [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html
- [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [flink-issues] 20200518 [jira] [Commented] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200518 [jira] [Commented] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200520 [jira] [Closed] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200520 [jira] [Closed] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [syncope-dev] 20200423 Jquery version on 2.1.x/2.0.x
- [syncope-dev] 20200423 Jquery version on 2.1.x/2.0.x
- [flink-issues] 20200518 [jira] [Assigned] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200518 [jira] [Assigned] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-dev] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-dev] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [storm-dev] 20200708 [GitHub] [storm] Crim opened a new pull request #3305: [STORM-3553] Upgrade jQuery from 1.11.1 to 3.5.1
- [storm-dev] 20200708 [GitHub] [storm] Crim opened a new pull request #3305: [STORM-3553] Upgrade jQuery from 1.11.1 to 3.5.1
- [flink-issues] 20200518 [jira] [Updated] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200518 [jira] [Updated] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [flink-issues] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery
- [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html
- [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html
- [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update
- [debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update
- [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update
- [debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update
- [debian-lts-announce] 20200224 [SECURITY] [DLA 2118-1] otrs2 security update
- [debian-lts-announce] 20200224 [SECURITY] [DLA 2118-1] otrs2 security update
- [debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update
- [debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update
- FEDORA-2019-1a3edd7e8a
- FEDORA-2019-1a3edd7e8a
- FEDORA-2019-eba8e44ee6
- FEDORA-2019-eba8e44ee6
- FEDORA-2019-7eaf0bbe7c
- FEDORA-2019-7eaf0bbe7c
- FEDORA-2019-a06dffab1c
- FEDORA-2019-a06dffab1c
- FEDORA-2019-2a0ce0c58c
- FEDORA-2019-2a0ce0c58c
- FEDORA-2019-f563e66380
- FEDORA-2019-f563e66380
- 20190421 [SECURITY] [DSA 4434-1] drupal7 security update
- 20190421 [SECURITY] [DSA 4434-1] drupal7 security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190509 dotCMS v5.1.1 Vulnerabilities
- 20190509 dotCMS v5.1.1 Vulnerabilities
- https://security.netapp.com/advisory/ntap-20190919-0001/
- https://security.netapp.com/advisory/ntap-20190919-0001/
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1
- DSA-4434
- DSA-4434
- DSA-4460
- DSA-4460
- https://www.drupal.org/sa-core-2019-006
- https://www.drupal.org/sa-core-2019-006
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
- https://www.synology.com/security/advisory/Synology_SA_19_19
- https://www.synology.com/security/advisory/Synology_SA_19_19
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2020-02
- https://www.tenable.com/security/tns-2020-02
Modified: 2024-11-21
CVE-2019-12466
Wikimedia MediaWiki through 1.32.1 allows CSRF.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T25227
- https://phabricator.wikimedia.org/T25227
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12467
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T209794
- https://phabricator.wikimedia.org/T209794
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12468
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.
- https://lists.wikimedia.org/pipermail/mediawiki-announce/
- https://lists.wikimedia.org/pipermail/mediawiki-announce/
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T197279
- https://phabricator.wikimedia.org/T197279
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12469
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T222036
- https://phabricator.wikimedia.org/T222036
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12470
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T222038
- https://phabricator.wikimedia.org/T222038
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12471
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T207603
- https://phabricator.wikimedia.org/T207603
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12472
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
Modified: 2024-11-21
CVE-2019-12473
Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalid titles to the API could cause a DoS by querying the entire watchlist table. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T204729
- https://phabricator.wikimedia.org/T204729
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460
Modified: 2024-11-21
CVE-2019-12474
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
- https://phabricator.wikimedia.org/T212118
- https://phabricator.wikimedia.org/T212118
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- 20190612 [SECURITY] [DSA 4460-1] mediawiki security update
- DSA-4460
- DSA-4460