VDB
CVE-2020-7729
CVE-2020-7729
PUBLISHED
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
EPSS 2.42% · 85.4th percentile
Risk Scores
EPSS Score
2.42%
85.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:20.04:LTS | grunt | 0, 1.0.1-9, 1.0.4-2 |
| Ubuntu:18.04:LTS | grunt | 1.0.1-6, 0, 1.0.1-8 |
Timeline
- Sep 3, 2020 CVE Published
- Oct 27, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-7729 third-party-advisory
- https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 third-party-advisory
- https://snyk.io/vuln/SNYK-JS-GRUNT-597546 third-party-advisory
- https://ubuntu.com/security/notices/USN-4595-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-5847-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-7729 third-party-advisory