NodeJS/grunt/0.3.15
The JavaScript Task Runner
https://www.npmjs.com/package/grunt
MIT
3 Security Vulnerabilities
Path Traversal in Grunt
Published date: 2022-04-13T00:00:16Z
CVE: CVE-2022-0436
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0436
- https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665
- https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b
- https://github.com/gruntjs/grunt/pull/1743
- https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c
- https://github.com/advisories/GHSA-j383-35pm-c5h4
- https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html
Grunt prior to version 1.5.2 is vulnerable to path traversal.
Affected versions:
["0.1.0", "0.1.2", "0.2.0", "0.2.1", "0.2.2", "0.2.6", "0.2.12", "0.2.15", "0.3.0", "0.3.1", "0.3.2", "0.3.6", "0.3.11", "0.3.13", "0.3.15", "0.3.16", "0.3.17", "0.4.1", "0.4.4", "0.4.5", "1.0.0", "0.3.13-a", "0.4.0-rc5", "0.4.0-rc6", "0.4.0-rc8", "1.0.2", "1.1.0", "1.2.0", "1.2.1", "0.1.1", "0.2.3", "0.2.4", "0.2.5", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.2.11", "0.2.13", "0.2.14", "0.3.3", "0.3.4", "0.3.5", "0.3.7", "0.3.8", "0.3.9", "0.3.10", "0.3.12", "0.3.14", "0.4.0", "0.4.2", "0.4.3", "1.0.0-rc1", "1.0.1", "0.4.0-a", "0.4.0-rc1", "0.4.0-rc2", "0.4.0-rc3", "0.4.0-rc4", "0.4.0-rc7", "1.0.3", "1.0.4", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1"]
Secure versions:
[1.5.3, 1.6.0, 1.6.1]
Recommendation:
Update to version 1.6.1.
Arbitrary Code Execution in grunt
Published date: 2021-05-06T18:27:18Z
CVE: CVE-2020-7729
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7729
- https://github.com/advisories/GHSA-m5pj-vjjf-4m3h
- https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
- https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
- https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546
- https://usn.ubuntu.com/4595-1/
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Affected versions:
["0.1.0", "0.1.2", "0.2.0", "0.2.1", "0.2.2", "0.2.6", "0.2.12", "0.2.15", "0.3.0", "0.3.1", "0.3.2", "0.3.6", "0.3.11", "0.3.13", "0.3.15", "0.3.16", "0.3.17", "0.4.1", "0.4.4", "0.4.5", "1.0.0", "0.3.13-a", "0.4.0-rc5", "0.4.0-rc6", "0.4.0-rc8", "1.0.2", "1.1.0", "1.2.0", "1.2.1", "0.1.1", "0.2.3", "0.2.4", "0.2.5", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.2.11", "0.2.13", "0.2.14", "0.3.3", "0.3.4", "0.3.5", "0.3.7", "0.3.8", "0.3.9", "0.3.10", "0.3.12", "0.3.14", "0.4.0", "0.4.2", "0.4.3", "1.0.0-rc1", "1.0.1", "0.4.0-a", "0.4.0-rc1", "0.4.0-rc2", "0.4.0-rc3", "0.4.0-rc4", "0.4.0-rc7", "1.0.3", "1.0.4"]
Secure versions:
[1.5.3, 1.6.0, 1.6.1]
Recommendation:
Update to version 1.6.1.
Race Condition in Grunt
Published date: 2022-05-11T00:01:37Z
CVE: CVE-2022-1537
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1537
- https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
- https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
- https://github.com/advisories/GHSA-rm36-94g8-835r
- https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Affected versions:
["0.1.0", "0.1.2", "0.2.0", "0.2.1", "0.2.2", "0.2.6", "0.2.12", "0.2.15", "0.3.0", "0.3.1", "0.3.2", "0.3.6", "0.3.11", "0.3.13", "0.3.15", "0.3.16", "0.3.17", "0.4.1", "0.4.4", "0.4.5", "1.0.0", "0.3.13-a", "0.4.0-rc5", "0.4.0-rc6", "0.4.0-rc8", "1.0.2", "1.1.0", "1.2.0", "1.2.1", "0.1.1", "0.2.3", "0.2.4", "0.2.5", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.2.11", "0.2.13", "0.2.14", "0.3.3", "0.3.4", "0.3.5", "0.3.7", "0.3.8", "0.3.9", "0.3.10", "0.3.12", "0.3.14", "0.4.0", "0.4.2", "0.4.3", "1.0.0-rc1", "1.0.1", "0.4.0-a", "0.4.0-rc1", "0.4.0-rc2", "0.4.0-rc3", "0.4.0-rc4", "0.4.0-rc7", "1.0.3", "1.0.4", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2"]
Secure versions:
[1.5.3, 1.6.0, 1.6.1]
Recommendation:
Update to version 1.6.1.
71 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.3.1 | MIT | 3 | 2012-03-25 - 18:25 | over 13 years |
| 0.3.0 | MIT | 3 | 2012-03-23 - 19:58 | over 13 years |
| 0.2.15 | MIT | 3 | 2012-02-07 - 21:50 | over 13 years |
| 0.2.14 | MIT | 3 | 2012-02-03 - 13:48 | over 13 years |
| 0.2.13 | MIT | 3 | 2012-02-02 - 00:42 | over 13 years |
| 0.2.12 | MIT | 3 | 2012-02-01 - 19:26 | over 13 years |
| 0.2.11 | MIT | 3 | 2012-02-01 - 04:16 | over 13 years |
| 0.2.10 | MIT | 3 | 2012-02-01 - 02:10 | over 13 years |
| 0.2.9 | MIT | 3 | 2012-01-31 - 14:10 | over 13 years |
| 0.2.8 | MIT | 3 | 2012-01-30 - 21:56 | over 13 years |
| 0.2.7 | MIT | 3 | 2012-01-30 - 19:51 | over 13 years |
| 0.2.6 | MIT | 3 | 2012-01-30 - 03:35 | over 13 years |
| 0.2.5 | MIT | 3 | 2012-01-29 - 22:19 | over 13 years |
| 0.2.4 | MIT | 3 | 2012-01-23 - 22:51 | over 13 years |
| 0.2.3 | MIT | 3 | 2012-01-23 - 22:01 | over 13 years |
| 0.2.2 | MIT | 3 | 2012-01-23 - 01:53 | over 13 years |
| 0.2.1 | MIT | 3 | 2012-01-23 - 01:30 | over 13 years |
| 0.2.0 | MIT | 3 | 2012-01-22 - 17:32 | over 13 years |
| 0.1.2 | MIT | 3 | 2012-01-19 - 15:25 | over 13 years |
| 0.1.1 | MIT | 3 | 2012-01-19 - 15:01 | over 13 years |
| 0.1.0 | MIT | 3 | 2012-01-12 - 13:08 | over 13 years |