Описание
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Ссылки
- Broken Link
- PatchThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
- Broken Link
- PatchThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.3.0 (исключая)
cpe:2.3:a:gruntjs:grunt:*:*:*:*:*:node.js:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
EPSS
Процентиль: 87%
0.03584
Низкий
7.1 High
CVSS3
4.6 Medium
CVSS2
Дефекты
CWE-1188
Связанные уязвимости
CVSS3: 7.1
ubuntu
больше 5 лет назад
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
CVSS3: 7.1
debian
больше 5 лет назад
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...
EPSS
Процентиль: 87%
0.03584
Низкий
7.1 High
CVSS3
4.6 Medium
CVSS2
Дефекты
CWE-1188