CVE-2020-7729 — Initialization of a Resource with an Insecure Default in Grunt

CWE-1188 — Initialization of a Resource with an Insecure Default13 documents7 sources

Severity

7.1HIGHNVD

EPSS

2.4%

top 14.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gruntjs Grunt Canonical Ubuntu Linux Debian Linux

Timeline

PublishedSep 3

Latest updateFeb 7

Description

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5gruntjs/gruntunspecified — 1.3.0

▶NVDgruntjs/grunt< 1.3.0

▶npmgruntjs/grunt< 1.3.0

▶Debiangruntjs/grunt< 1.3.0-1+3

▶Ubuntugruntjs/grunt< 1.0.1-8ubuntu0.1+3

Also affects: Debian Linux 9.0, Ubuntu Linux 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

grunt vulnerabilities↗2023-02-07

▶

GHSA

Arbitrary Code Execution in grunt↗2021-05-06

▶

OSV

Arbitrary Code Execution in grunt↗2021-05-06

▶

OSV

grunt vulnerability↗2020-10-20

▶

OSV

CVE-2020-7729: The package grunt before 1↗2020-09-03

▶

📋Vendor Advisories

Ubuntu

Grunt vulnerabilities↗2023-02-07

▶

Ubuntu

Grunt vulnerability↗2020-10-20

▶

Debian

CVE-2020-7729: grunt - The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to...↗2020

▶

💬Community

Bugzilla

CVE-2020-7729 nodejs-grunt: use of the unsafe load function from js-yaml package can lead to ACE [fedora-all]↗2020-09-03

▶

Bugzilla

CVE-2020-7729 nodejs-grunt: use of the unsafe load function from js-yaml package can lead to ACE [epel-all]↗2020-09-03

▶

Bugzilla

CVE-2020-7729 nodejs-grunt: use of the unsafe load function from js-yaml package can lead to ACE↗2020-09-03

▶