← back
CVE-2020-7729

Arbitrary Code Execution

CVSS 7.1 HIGHEPSS 2.4%
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/RL:O
Affected products
n/a · grunt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7https://lists.debian.org/debian-lts-announce/2020/09/msg00008.htmlhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922https://snyk.io/vuln/SNYK-JS-GRUNT-597546https://usn.ubuntu.com/4595-1/