grunt-ftp-push@0.3.4

Vulnerabilities

2 via 2 paths

Dependencies

36

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

critical severity

Arbitrary Code Injection

  • Vulnerable module: growl
  • Introduced through: jasmine-node@1.16.2

Detailed paths

  • Introduced through: grunt-ftp-push@0.3.4 jasmine-node@1.16.2 jasmine-growl-reporter@0.2.1 growl@1.7.0
    Remediation: Upgrade to grunt-ftp-push@0.4.0.

Overview

growl is a package adding Growl support for Nodejs.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

Upgrade growl to version 1.10.0 or higher.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: jasmine-node@1.16.2

Detailed paths

  • Introduced through: grunt-ftp-push@0.3.4 jasmine-node@1.16.2 underscore@1.9.2

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References