New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(GitHub Dependabot) Racing Conditions and path traversal in Grunt < 1.5.3 #1010
Comments
Hi, I see that grunt version is updated on 22nd Nov on github, which is the same date as latest deployment on pypi. However, package.json on pypi deployment still points to the older version with the security issue. Are there any plans for a fresh pypi deployment? "devDependencies": {
"commitplease": "3.2.0",
"eslint-config-jquery": "3.0.0",
"glob": "7.1.7",
"grunt": "1.4.1",
"grunt-bowercopy": "1.2.5",
"grunt-cli": "1.4.3",
"grunt-compare-size": "0.4.2",
"grunt-contrib-concat": "1.0.1",
"grunt-contrib-csslint": "2.0.0",
"grunt-contrib-qunit": "5.0.1",
"grunt-contrib-requirejs": "1.0.0",
"grunt-contrib-uglify": "5.0.1",
"grunt-eslint": "23.0.0",
"grunt-git-authors": "3.2.0",
"grunt-html": "14.5.0",
"load-grunt-tasks": "5.1.0",
"rimraf": "3.0.2",
"testswarm": "1.1.2"
}, Thank you, |
@hakan-77 I'm confused ... what package.json are you referring to? Because you are listing stuff which we don't use at all (e.g. |
@sehmaschine looks like Grappelli's dependence to old grunt is through jquery. I'm sharing below where the problematic dependency is installed on a sampel conda env:
I also think the grunt version is upgraded to fix with the below commit, but maybe this change was not deployed on pypi version of grappelli. What we get from pypi still has the old version of grunt with the security bug. ce7bd87#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519 |
@hakan-77 Ok, thanks for checking. I think we can safely remove package.json from the jquery-ui package. Will do that. |
Thank you, @sehmaschine |
GitHub pinned it as a high-severity and moderate threat, full description:
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has to write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Solution:
Update "grunt": ">=1.5.3"
Grunt prior to version 1.5.2 is vulnerable to path traversal.
The text was updated successfully, but these errors were encountered: