{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1537", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2024-08-03T00:10:03.294Z", "dateReserved": "2022-04-29T00:00:00", "datePublished": "2022-05-10T00:00:00"}, "containers": {"cna": {"title": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in gruntjs/grunt", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-04-05T00:00:00"}, "descriptions": [{"lang": "en", "value": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root."}], "affected": [{"vendor": "gruntjs", "product": "gruntjs/grunt", "versions": [{"version": "unspecified", "lessThan": "1.5.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"}, {"url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"}, {"name": "[debian-lts-announce] 20230405 [SECURITY] [DLA 3383-1] grunt security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "cweId": "CWE-367"}]}], "source": {"advisory": "0179c3e5-bc02-4fc9-8491-a1a319b51b4d", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.294Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d", "tags": ["x_transferred"]}, {"url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230405 [SECURITY] [DLA 3383-1] grunt security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gruntjs:grunt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2DEB7266-CC60-4BB6-B049-6D47F068BD83", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root."}, {"lang": "es", "value": "Las operaciones file.copy en GruntJS son vulnerables a una condici\u00f3n de carrera TOCTOU conllevando una escritura arbitraria de archivos en el repositorio de GitHub gruntjs/grunt versiones anteriores a 1.5.3. Esta vulnerabilidad es capaz de realizar escrituras arbitrarias en archivos que pueden conllevar a una escalada de privilegios local para el usuario de GruntJS si un usuario menos privilegiado presenta acceso de escritura a los directorios de origen y destino, ya que el usuario menos privilegiado puede crear un enlace simb\u00f3lico al archivo .bashrc del usuario de GruntJS o reemplazar el archivo /etc/shadow si el usuario de GruntJS es root"}], "id": "CVE-2022-1537", "lastModified": "2024-11-21T06:40:55.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-10T14:15:08.403", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Technical Description"], "url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Technical Description"], "url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"}, {"source": "security@huntr.dev", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Technical Description"], "url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Technical Description"], "url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "gruntjs: race condition leading to arbitrary file write", "id": "2083902", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2083902"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", "A flaw was found in the GruntJS package during file.copy operations. This vulnerability is capable of arbitrary file writes, that can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories. This flaw allows a lower-privileged user to create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root."], "name": "CVE-2022-1537", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "impact": "moderate", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "gruntjs", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.jboss.hal-hal-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "gruntjs", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2022-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-1537\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1537\nhttps://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"], "threat_severity": "Important"}

{}