-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-1537 (High) detected in grunt-1.5.2.tgz #1579
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by Mend
label
May 11, 2022
kavilla
added a commit
to kavilla/OpenSearch-Dashboards-1
that referenced
this issue
May 11, 2022
Addresses CVE-2022-1537 Issue: opensearch-project#1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
kavilla
added a commit
to kavilla/OpenSearch-Dashboards-1
that referenced
this issue
May 11, 2022
Addresses CVE-2022-1537 Issue: opensearch-project#1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
7 tasks
tmarkley
added
high severity
High severity CVE
cve
Security vulnerabilities detected by Dependabot or Mend
labels
May 11, 2022
kavilla
added a commit
that referenced
this issue
May 13, 2022
Addresses CVE-2022-1537 Issue: #1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this issue
May 13, 2022
Addresses CVE-2022-1537 Issue: #1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 1792662)
opensearch-trigger-bot bot
pushed a commit
that referenced
this issue
May 13, 2022
Addresses CVE-2022-1537 Issue: #1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 1792662)
tmarkley
pushed a commit
that referenced
this issue
May 17, 2022
Addresses CVE-2022-1537 Issue: #1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 1792662)
tmarkley
pushed a commit
that referenced
this issue
May 17, 2022
Addresses CVE-2022-1537 Issue: #1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 1792662)
kavilla
added a commit
to kavilla/OpenSearch-Dashboards-1
that referenced
this issue
Jun 8, 2022
Addresses CVE-2022-1537 Issue: opensearch-project#1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
kavilla
added a commit
to kavilla/OpenSearch-Dashboards-1
that referenced
this issue
Jun 16, 2022
Addresses CVE-2022-1537 Issue: opensearch-project#1579 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this issue
Mar 29, 2023
Main bump grunt via this PR: opensearch-project#1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: opensearch-project#1579 opensearch-project#1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
8 tasks
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this issue
Mar 29, 2023
Main bump grunt via this PR: opensearch-project#1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: opensearch-project#1579 opensearch-project#1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this issue
Mar 29, 2023
Main bump grunt via this PR: opensearch-project#1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: opensearch-project#1579 opensearch-project#1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this issue
Mar 30, 2023
Main bump grunt via this PR: opensearch-project#1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: opensearch-project#1579 opensearch-project#1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
joshuarrrr
added a commit
that referenced
this issue
Mar 31, 2023
) Main bump grunt via this PR: #1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: #1579 #1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com>
This was referenced Jun 12, 2023
opensearch-trigger-bot bot
pushed a commit
that referenced
this issue
Jun 28, 2023
) Main bump grunt via this PR: #1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: #1579 #1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 65deacb) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
ashwin-pc
pushed a commit
that referenced
this issue
Jun 30, 2023
) (#4435) Main bump grunt via this PR: #1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: #1579 #1450 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 65deacb) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
CVE-2022-1537 - High Severity Vulnerability
Vulnerable Library - grunt-1.5.2.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.5.2.tgz
Dependency Hierarchy:
Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371
Found in base branch: main
Vulnerability Details
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Publish Date: 2022-05-10
URL: CVE-2022-1537
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
Release Date: 2022-05-10
Fix Resolution: 1.5.3
The text was updated successfully, but these errors were encountered: