CVE-2022-1537

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
@huntrdevCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
VendorProductVersion
gruntjsgrunt
𝑥
< 1.5.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
grunt
bullseye
1.3.0-1+deb11u2
fixed
bookworm
1.5.3-2
fixed
sid
1.6.1-1
fixed
trixie
1.6.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
grunt
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
Fixed 1.4.1-2ubuntu0.1~esm1
released
impish
ignored
focal
Fixed 1.0.4-2ubuntu0.1~esm1
released
bionic
Fixed 1.0.1-8ubuntu0.1+esm1
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html
https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html