Arbitrary Code Execution

Affecting grunt package, versions <1.3.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

grunt is a JavaScript task runner.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Remediation

Upgrade grunt to version 1.3.0 or higher.

References

CVSS Score

7.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/RL:O
Credit
Snyk Security Team
CVE
CVE-2020-7729
CWE
CWE-94
Snyk ID
SNYK-JS-GRUNT-597546
Disclosed
07 Aug, 2020
Published
20 Aug, 2020