Right this moment we’re releasing Ember.js 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3 to patch a safety vulnerability. A CVE quantity is pending and this put up will probably be up to date to incorporate it as soon as it has been issued.
Apps that go untrusted enter as paths to EmberObject.setProperties or EmberObject.set, or the corresponding standalone capabilities setProperties or set, might get shocking outcomes that, together with different software bugs, may result in cross-site scripting vulnerabilities.
import EmberObject from '@ember/object';
let o = new EmberObject();
// This will result in prototype air pollution in unpatched Ember variations
o.set(untrustedPath, untrustedValue);
// This will result in prototype air pollution in unpatched Ember variations
o.setProperties({ [untrustedPath]: untrustedValue });
These strategies have been weak to Prototype Air pollution, which means an attacker can set paths like __proto__.__proto__.isAdmin to mutate surprising objects, together with Javascript intrinsics like the worldwide Object. Relying on the specifics of your software, this may be leveraged as a part of an assault to steal person credentials.
Whereas deep property chaining is an meant function of those APIs, and passing untrusted enter to them is ill-advised, we agree that that this conduct is shocking sufficient to represent an elevated safety threat. So this launch forbids chaining any set or setProperties by way of __proto__ or constructor.
Apps on unsupported releases that can’t instantly improve ought to audit their utilization of setProperties and set to make sure they don’t seem to be permitting customers to regulate the paths.
Because of Masato Kinugawa for locating and reporting this situation.
