CVE-2020-7729

NameCVE-2020-7729
DescriptionThe package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2368-1
NVD severitymedium
Debian Bugs969668

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grunt (PTS)stretch1.0.1-5vulnerable
stretch (security)1.0.1-5+deb9u1fixed
buster1.0.1-8+deb10u1fixed
bullseye, sid1.3.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gruntsourcestretch1.0.1-5+deb9u1DLA-2368-1
gruntsourcebuster1.0.1-8+deb10u1
gruntsource(unstable)1.3.0-1969668

Notes

https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
https://snyk.io/vuln/SNYK-JS-GRUNT-597546

Search for package or bug name: Reporting problems