CVE-2019-10768: Input Validation
First published: Tue Nov 19 2019(Updated: )
AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| AngularJS | <1.7.9 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=17.1.0<=17.1.1 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.10 | |
| OSIsoft PI Asset Framework (AF) Client | ||
| OSIsoft PI Software Development Kit (SDK) | ||
| OSIsoft PI API | ||
| OSIsoft PI API | ||
| OSIsoft PI Buffer Subsystem | ||
| OSIsoft PI Connector for BACnet | ||
| OSIsoft PI Connector for CygNet | ||
| OSIsoft PI Connector for DC Systems RTscada | ||
| OSIsoft PI Connector for Ethernet/IP | ||
| OSIsoft | ||
| OSIsoft PI Connector for Ping | ||
| OSIsoft PI Connector for Wonderware Historian | ||
| OSIsoft PI Connector Relay | ||
| OSIsoft PI Data Archive | ||
| OSIsoft PI Data Collection Manager | ||
| OSIsoft PI Integrator for Business Analytics | ||
| OSIsoft PI Interface Configuration Utility | ||
| OSIsoft PI to OCS |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
- https://www.cisa.gov/news-events/ics-advisories/icsa-20-133-02 (Advisory)
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://my.f5.com/manage/s/article/K000141463
- https://exchange.xforce.ibmcloud.com/vulnerabilities/172185
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this security flaw in AngularJS?
The vulnerability ID of this security flaw in AngularJS is CVE-2019-10768.
What is the severity rating of CVE-2019-10768?
CVE-2019-10768 has a severity rating of 7.5 (High).
What is the impact of this vulnerability?
This vulnerability in AngularJS allows a remote attacker to bypass security restrictions and modify properties of Object.prototype.
Which software products are affected by this vulnerability in AngularJS?
IBM Cloud Pak for Business Automation versions V22.0.2 - V22.0.2-IF004 and V21.0.3 - V21.0.3-IF020 are affected by this vulnerability.
How can this vulnerability be exploited?
The vulnerability can be exploited by sending a specially-crafted request using a constructor payload.
- agent/type
- agent/remedy
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/severity
- agent/description
- agent/event
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/f5-advisory
- source/F5
- alias/CVE-2019-10768
- alias/CVE-2023-26116
- alias/CVE-2023-26117
- alias/CVE-2023-26118
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- alias/CVE-2019-11358
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes
- vendor/angularjs
- canonical/angularjs
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/17.1.0
- version/f5 big-ip and big-iq centralized management/17.1.1
- version/f5 big-ip and big-iq centralized management/16.1.0
- version/f5 big-ip and big-iq centralized management/16.1.5
- version/f5 big-ip and big-iq centralized management/15.1.0
- version/f5 big-ip and big-iq centralized management/15.1.10
- vendor/osisoft
- canonical/osisoft pi asset framework (af) client
- canonical/osisoft pi software development kit (sdk)
- canonical/osisoft pi api
- canonical/osisoft pi buffer subsystem
- canonical/osisoft pi connector for bacnet
- canonical/osisoft pi connector for cygnet
- canonical/osisoft pi connector for dc systems rtscada
- canonical/osisoft pi connector for ethernet/ip
- canonical/osisoft
- canonical/osisoft pi connector for ping
- canonical/osisoft pi connector for wonderware historian
- canonical/osisoft pi connector relay
- canonical/osisoft pi data archive
- canonical/osisoft pi data collection manager
- canonical/osisoft pi integrator for business analytics
- canonical/osisoft pi interface configuration utility
- canonical/osisoft pi to ocs