The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Weakness
The product initializes or sets a resource with a default that is intended to be changed by the product’s installer, administrator, or maintainer, but the default is not secure.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Grunt | Gruntjs | * | 1.3.0 (excluding) |
| Grunt | Ubuntu | bionic | * |
| Grunt | Ubuntu | esm-apps/bionic | * |
| Grunt | Ubuntu | esm-apps/focal | * |
| Grunt | Ubuntu | focal | * |
| Grunt | Ubuntu | groovy | * |
| Grunt | Ubuntu | trusty | * |
| Grunt | Ubuntu | upstream | * |
Related Attack Patterns
References
- https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
- https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
- https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://usn.ubuntu.com/4595-1/
- https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
- https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
- https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://usn.ubuntu.com/4595-1/