Debian Security Advisory

DLA-3383-1 grunt -- LTS security update

Date Reported:
05 Apr 2023
Affected Packages:
grunt
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2022-1537.
More information:

It was discovered that there was a potential local privilege escalation in GruntJS, a multipurpose task runner and build system tool.

file.copy operations in GruntJS were vulnerable to a TOCTOU ("time-of-check vs. time-of-use") race condition that could have led to arbitrary file writes in GitHub repositories. This could have then led to local privilege escalation if a lower-privileged user had write access to both source and destination directories, as the lower-privileged user could have created a symlink to the GruntJS user's ~/.bashrc configuration file (etc).

  • CVE-2022-1537

    file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

For Debian 10 Buster, this problem has been fixed in version 1.0.1-8+deb10u2.

We recommend that you upgrade your grunt packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS