CVE-2022-1537

NameCVE-2022-1537
Descriptionfile.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3383-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grunt (PTS)buster1.0.1-8+deb10u1vulnerable
buster (security)1.0.1-8+deb10u3fixed
bullseye1.3.0-1+deb11u2fixed
bookworm1.5.3-2fixed
sid, trixie1.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gruntsourcebuster1.0.1-8+deb10u2DLA-3383-1
gruntsourcebullseye1.3.0-1+deb11u2
gruntsource(unstable)1.5.3-1

Notes

https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae (v1.5.3)
Search for package or bug name: Reporting problems