Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-1537 (High) detected in grunt-1.5.2.tgz #1579

Closed
mend-for-github-com bot opened this issue May 11, 2022 · 0 comments · Fixed by #1580
Closed

CVE-2022-1537 (High) detected in grunt-1.5.2.tgz #1579

mend-for-github-com bot opened this issue May 11, 2022 · 0 comments · Fixed by #1580
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

CVE-2022-1537 - High Severity Vulnerability

Vulnerable Library - grunt-1.5.2.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-1.5.2.tgz

Dependency Hierarchy:

  • grunt-1.5.2.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Publish Date: 2022-05-10

URL: CVE-2022-1537

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/

Release Date: 2022-05-10

Fix Resolution: 1.5.3

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 11, 2022
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue May 11, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue May 11, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
@kavilla kavilla linked a pull request May 11, 2022 that will close this issue
7 tasks
@tmarkley tmarkley added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels May 11, 2022
kavilla added a commit that referenced this issue May 13, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue May 13, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
opensearch-trigger-bot bot pushed a commit that referenced this issue May 13, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
tmarkley pushed a commit that referenced this issue May 17, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
tmarkley pushed a commit that referenced this issue May 17, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue Jun 8, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue Jun 16, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
joshuarrrr added a commit that referenced this issue Mar 31, 2023
)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue Jun 28, 2023
)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 65deacb)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
ashwin-pc pushed a commit that referenced this issue Jun 30, 2023
) (#4435)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 65deacb)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant