CVE-2022-1537

2022-05-1000:00:00

ubuntu.com

cve-2022-1537; gruntjs; toctou race condition; arbitrary file write; github repository; privilege escalation; link symlink; patch; bug bounty report; vulnerability; race condition; local privilege escalation

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

21.9%

JSON

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can
lead to local privilege escalation to the GruntJS user if a
lower-privileged user has write access to both source and destination
directories as the lower-privileged user can create a symlink to the
GruntJS user’s .bashrc file or replace /etc/shadow file if the GruntJS user
is root.

Notes

Author	Note
ccdm94	this CVE seems to be closely related to CVE-2022-0436, with its fix editing code which was included in the patch to CVE-2022-0436 as well. In the bug bounty report to this CVE, the researcher mentions that the possibility of this vulnerability existing had already been considered in the CVE-2022-0436 bug bounty report, however, a fix for this was not applied together with the fix for CVE-2022-0436, and therefore, a new report was made.

Author

Note

ccdm94

this CVE seems to be closely related to CVE-2022-0436, with its fix editing code which was included in the patch to CVE-2022-0436 as well. In the bug bounty report to this CVE, the researcher mentions that the possibility of this vulnerability existing had already been considered in the CVE-2022-0436 bug bounty report, however, a fix for this was not applied together with the fix for CVE-2022-0436, and therefore, a new report was made.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgrunt< 1.0.1-8ubuntu0.1+esm1UNKNOWN
ubuntu20.04noarchgrunt< 1.0.4-2ubuntu0.1~esm1UNKNOWN
ubuntu22.04noarchgrunt< 1.4.1-2ubuntu0.1~esm1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	grunt	< 1.0.1-8ubuntu0.1+esm1	UNKNOWN
ubuntu	20.04	noarch	grunt	< 1.0.4-2ubuntu0.1~esm1	UNKNOWN
ubuntu	22.04	noarch	grunt	< 1.4.1-2ubuntu0.1~esm1	UNKNOWN