CVE-2022-1537 - OpenCVE

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Gruntjs	Grunt

Configuration 1 [-]

cpe:2.3:a:gruntjs:grunt:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae	Patch Technical Description
https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d	Exploit Issue Tracking Patch Technical Description
https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-05-10T00:00:00

Updated: 2023-04-05T00:00:00

Reserved: 2022-04-29T00:00:00

Link: CVE-2022-1537

JSON object: View

NVD Information

Status : Modified

Published: 2022-05-10T14:15:08.403

Modified: 2023-04-05T22:15:07.090

Link: CVE-2022-1537

JSON object: View

Redhat Information

No data.

CWE

CWE-367

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-1537", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2023-04-05T00:00:00", "dateReserved": "2022-04-29T00:00:00", "datePublished": "2022-05-10T00:00:00"}, "containers": {"cna": {"title": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in gruntjs/grunt", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-04-05T00:00:00"}, "descriptions": [{"lang": "en", "value": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root."}], "affected": [{"vendor": "gruntjs", "product": "gruntjs/grunt", "versions": [{"version": "unspecified", "lessThan": "1.5.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"}, {"url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"}, {"name": "[debian-lts-announce] 20230405 [SECURITY] [DLA 3383-1] grunt security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "cweId": "CWE-367"}]}], "source": {"advisory": "0179c3e5-bc02-4fc9-8491-a1a319b51b4d", "discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gruntjs:grunt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2DEB7266-CC60-4BB6-B049-6D47F068BD83", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root."}, {"lang": "es", "value": "Las operaciones file.copy en GruntJS son vulnerables a una condici\u00f3n de carrera TOCTOU conllevando una escritura arbitraria de archivos en el repositorio de GitHub gruntjs/grunt versiones anteriores a 1.5.3. Esta vulnerabilidad es capaz de realizar escrituras arbitrarias en archivos que pueden conllevar a una escalada de privilegios local para el usuario de GruntJS si un usuario menos privilegiado presenta acceso de escritura a los directorios de origen y destino, ya que el usuario menos privilegiado puede crear un enlace simb\u00f3lico al archivo .bashrc del usuario de GruntJS o reemplazar el archivo /etc/shadow si el usuario de GruntJS es root"}], "id": "CVE-2022-1537", "lastModified": "2023-04-05T22:15:07.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-10T14:15:08.403", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Technical Description"], "url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Technical Description"], "url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"}, {"source": "security@huntr.dev", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Secondary"}]}