-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grunt-1.0.3.tgz: 8 vulnerabilities (highest severity is: 9.8) #21
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
Security vulnerability detected by WhiteSource
label
Feb 14, 2022
1 task
mend-for-github-com
bot
changed the title
grunt-1.0.3.tgz: 7 vulnerabilities (highest severity is: 9.8)
grunt-1.0.3.tgz: 8 vulnerabilities (highest severity is: 9.8)
Apr 14, 2022
mend-for-github-com
bot
changed the title
grunt-1.0.3.tgz: 8 vulnerabilities (highest severity is: 9.8)
grunt-1.0.3.tgz: 9 vulnerabilities (highest severity is: 9.8)
Apr 14, 2022
mend-for-github-com
bot
changed the title
grunt-1.0.3.tgz: 9 vulnerabilities (highest severity is: 9.8)
grunt-1.0.3.tgz: 10 vulnerabilities (highest severity is: 9.8)
May 11, 2022
mend-for-github-com
bot
changed the title
grunt-1.0.3.tgz: 10 vulnerabilities (highest severity is: 9.8)
grunt-1.0.3.tgz: 8 vulnerabilities (highest severity is: 9.8)
Jun 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Vulnerabilities
Details
CVE-2020-28282
Vulnerable Library - getobject-0.1.0.tgz
get.and.set.deep.objects.easily = true
Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/getobject/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2020-12-29
URL: CVE-2020-28282
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/getobject
Release Date: 2020-12-29
Fix Resolution (getobject): 1.0.0
Direct dependency fix Resolution (grunt): 1.3.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0063
Vulnerable Library - js-yaml-3.5.5.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (grunt): 1.0.4
⛑️ Automatic Remediation is available for this issue
CVE-2021-33623
Vulnerable Library - trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (grunt): 1.2.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0032
Vulnerable Library - js-yaml-3.5.5.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (grunt): 1.0.4
⛑️ Automatic Remediation is available for this issue
CVE-2020-7729
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Publish Date: 2020-09-03
URL: CVE-2020-7729
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1684
Release Date: 2020-10-27
Fix Resolution: 1.3.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-1537
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Publish Date: 2022-05-10
URL: CVE-2022-1537
CVSS 3 Score Details (7.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
Release Date: 2022-05-10
Fix Resolution: 1.5.3
⛑️ Automatic Remediation is available for this issue
CVE-2022-0436
Vulnerable Library - grunt-1.0.3.tgz
The JavaScript Task Runner
Library home page: https://registry.npmjs.org/grunt/-/grunt-1.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grunt/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.
Publish Date: 2022-04-12
URL: CVE-2022-0436
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0436
Release Date: 2022-04-12
Fix Resolution: 1.5.1
⛑️ Automatic Remediation is available for this issue
CVE-2021-23362
Vulnerable Library - hosted-git-info-2.7.1.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 3c6c8b1083ad63c98e2306891044400e62b9545f
Found in base branch: master
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (grunt): 1.0.4
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: