CVE-2019-11358¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 4.5.0
WSO2 JUSTIFICATION¶
jQuery is included only in Swagger UI–related static frontend assets bundled with OpenAPI Generator. These assets are not used, served, or executed by WSO2 API Manager at runtime. API-M uses OpenAPI Generator only for Java-based backend processing (e.g., client SDK generation) and does not execute any JavaScript code. Therefore, the reported jQuery vulnerabilities are not reachable or exploitable in the API-M runtime and do not pose a security risk.