PublicDateAtUSN: 2020-09-03 09:15:00 UTC
Candidate: CVE-2020-7729
PublicDate: 2020-09-03 09:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729
 https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7
 https://snyk.io/vuln/SNYK-JS-GRUNT-597546
 https://ubuntu.com/security/notices/USN-4595-1
Description:
 The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution
 due to the default usage of the function load() instead of its secure
 replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969668
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H [7.1 HIGH]


Patches_grunt:
upstream_grunt: released (1.3.0-1)
precise/esm_grunt: DNE
trusty_grunt: ignored (out of standard support)
trusty/esm_grunt: DNE
xenial_grunt: DNE
bionic_grunt: released (1.0.1-8ubuntu0.1)
focal_grunt: needs-triage
groovy_grunt: ignored (reached end-of-life)
hirsute_grunt: not-affected (1.3.0-1)
impish_grunt: not-affected (1.3.0-1)
jammy_grunt: not-affected (1.3.0-1)
devel_grunt: not-affected (1.3.0-1)