7.1

CVE-2020-7729

Exploit

Arbitrary Code Execution

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GruntjsGrunt SwPlatformnode.js Version < 1.3.0
DebianDebian Linux Version9.0
CanonicalUbuntu Linux Version18.04 SwEditionlts
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.29% 0.81
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.6 3.9 6.4
AV:N/AC:H/Au:S/C:P/I:P/A:P
report@snyk.io 7.1 1.2 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249
Broken Link
https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html
Third Party Advisory
Mailing List
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-GRUNT-597546
Third Party Advisory
Exploit
https://usn.ubuntu.com/4595-1/
Third Party Advisory