usn-5847-1
Vulnerability from osv_ubuntu
Published
2023-02-07 18:56
Modified
2026-04-27 14:11
Summary
grunt vulnerabilities
Details
It was discovered that Grunt was not properly loading YAML files before parsing them. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-7729)
It was discovered that Grunt was not properly handling symbolic links when performing file copy operations. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. (CVE-2022-0436)
It was discovered that there was a race condition in the Grunt file copy function, which could lead to an arbitrary file write. An attacker could possibly use this issue to perform a local privilege escalation attack or to execute arbitrary code. (CVE-2022-1537)
References
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-0436",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-1537",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "grunt",
"binary_version": "1.0.1-8ubuntu0.1+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "grunt",
"purl": "pkg:deb/ubuntu/grunt@1.0.1-8ubuntu0.1+esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1-8ubuntu0.1+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.1-5",
"1.0.1-6",
"1.0.1-7",
"1.0.1-8",
"1.0.1-8ubuntu0.1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2020-7729",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-0436",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-1537",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "grunt",
"binary_version": "1.0.4-2ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "grunt",
"purl": "pkg:deb/ubuntu/grunt@1.0.4-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4-2ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.1-9",
"1.0.4-2"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-0436",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-1537",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "grunt",
"binary_version": "1.4.1-2ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "grunt",
"purl": "pkg:deb/ubuntu/grunt@1.4.1-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1-2ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0-1",
"1.3.0-2",
"1.4.1-1",
"1.4.1-2"
]
}
],
"aliases": [],
"details": "It was discovered that Grunt was not properly loading YAML files before\nparsing them. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2020-7729)\n\nIt was discovered that Grunt was not properly handling symbolic links\nwhen performing file copy operations. An attacker could possibly use this\nissue to expose sensitive information or execute arbitrary code.\n(CVE-2022-0436)\n\nIt was discovered that there was a race condition in the Grunt file copy\nfunction, which could lead to an arbitrary file write. An attacker could\npossibly use this issue to perform a local privilege escalation attack or\nto execute arbitrary code. (CVE-2022-1537)\n",
"id": "USN-5847-1",
"modified": "2026-04-27T14:11:29Z",
"published": "2023-02-07T18:56:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5847-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-7729"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-0436"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-1537"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "grunt vulnerabilities",
"upstream": [
"UBUNTU-CVE-2020-7729",
"UBUNTU-CVE-2022-0436",
"UBUNTU-CVE-2022-1537"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…