The jquery
package is vulnerable to Prototype Pollution. The jQuery.extend
and jQuery.fn.extend
functions defined in many files allow an untrusted object to extend Object.prototype
. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.
NOTE: This vulnerability has been assigned CVE-2019-11358.
Advisory Deviation Notice: The Sonatype security research team discovered that the CVSS score of the vulnerability is 9.8, not 6.1 as the advisory states.
The application is vulnerable by using this component.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.