A prototype pollution vulnerability exists in Ember.js prior to 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3. An attacker can set paths like __proto__.__proto__.isAdmin to mutate unexpected objects, including Javascript intrinsics like the global Object. Depending on the specifics of your application, this can be leveraged as part of an attack to steal user credentials.
WS-2022-0363 - Critical Severity Vulnerability
A JavaScript framework for creating ambitious web applications
Library home page: https://registry.npmjs.org/ember-source/-/ember-source-2.14.1.tgz
Path to dependency file: /vendor/github.com/hashicorp/vault/ui/package.json
Path to vulnerable library: /vendor/github.com/hashicorp/vault/ui/node_modules/ember-source/package.json
Dependency Hierarchy: - :x: **ember-source-2.14.1.tgz** (Vulnerable Library)
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
A prototype pollution vulnerability exists in Ember.js prior to 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3. An attacker can set paths like __proto__.__proto__.isAdmin to mutate unexpected objects, including Javascript intrinsics like the global Object. Depending on the specifics of your application, this can be leveraged as part of an attack to steal user credentials.
Publish Date: 2022-11-03
URL: WS-2022-0363
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://blog.emberjs.com/ember-4-8-1-released/
Release Date: 2022-11-03
Fix Resolution: 3.24.7
Step up your Open Source Security Game with Mend here