Lucene search

SnykCVE-2020-7729

HistorySep 03, 2020 - 9:15 a.m.

CVE-2020-7729

2020-09-0309:15:10

CWE-1188

snyk

web.nvd.nist.gov

cve-2020-7729

nvd

package grunt

arbitrary code execution

js-yaml

CVSS2

4.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:S/C:P/I:P/A:P

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

0.009

Percentile

82.3%

JSON

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Affected configurations

Nvd

Node

gruntjsgruntRange<1.3.0node.js

Node

debiandebian_linuxMatch9.0

Node

canonicalubuntu_linuxMatch18.04lts

VendorProductVersionCPE
gruntjsgrunt*cpe:2.3:a:gruntjs:grunt:*:*:*:*:*:node.js:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
gruntjs	grunt	*	cpe:2.3:a:gruntjs:grunt::::::node.js::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
canonical	ubuntu_linux	18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::

CNA Affected

[
  {
    "product": "grunt",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "1.3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]