CVE-2020-7729

NameCVE-2020-7729
DescriptionThe package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2368-1
Debian Bugs969668

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grunt (PTS)bullseye1.3.0-1+deb11u2fixed
bookworm1.5.3-2fixed
forky, sid, trixie1.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gruntsourcestretch1.0.1-5+deb9u1DLA-2368-1
gruntsourcebuster1.0.1-8+deb10u1
gruntsource(unstable)1.3.0-1969668

Notes

https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
https://snyk.io/vuln/SNYK-JS-GRUNT-597546
Search for package or bug name: Reporting problems