CVE-2020-7729 – grunt

Package

Manager: npm
Name: grunt
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02395 pctl0.84459

Details

Arbitrary Code Execution in grunt The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Metadata

Created: 2021-05-06T18:27:18Z
Modified: 2021-05-04T22:57:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-m5pj-vjjf-4m3h/GHSA-m5pj-vjjf-4m3h.json
CWE IDs: ["CWE-1188"]
Alternative ID: GHSA-m5pj-vjjf-4m3h
Finding: F164
Auto approve: 1