The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:
jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.
It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.
2019-04-22, edited to add CVE.
Install the latest version:
- If you are using Drupal 8.6, update to Drupal 8.6.15.
- If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
- If you are using Drupal 7, update to Drupal 7.66.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Also see the Drupal core project page.
Additional information
All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.
- Alex Bronstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Jess of the Drupal Security Team
- Lauri Eskola
- Greg Knaddison of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team