grunt-1.0.3.tgz: 8 vulnerabilities (highest severity is: 9.8) #183
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github.aaakk.us.kg
bot
added
the
security vulnerability
1 task
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Vulnerabilities
Details
Vulnerable Library - getobject-0.1.0.tgz
get.and.set.deep.objects.easily = true
Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/getobject/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2020-12-29
URL: CVE-2020-28282
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/getobject
Release Date: 2020-12-29
Fix Resolution (getobject): 1.0.0
Direct dependency fix Resolution (grunt): 1.5.2
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - js-yaml-3.5.5.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (grunt): 1.5.2
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Publish Date: 2022-05-10
URL: CVE-2022-1537
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
Release Date: 2022-05-10
Fix Resolution: 1.5.3
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (grunt): 1.5.2
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - js-yaml-3.5.5.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (grunt): 1.5.2
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Publish Date: 2020-09-03
URL: CVE-2020-7729
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1684
Release Date: 2020-10-27
Fix Resolution: 1.3.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.
Publish Date: 2022-04-12
URL: CVE-2022-0436
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0436
Release Date: 2022-04-12
Fix Resolution: 1.5.1
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - hosted-git-info-2.7.1.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (grunt): 1.5.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: