CVE-2022-0436

NameCVE-2022-0436
DescriptionPath Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3386-1, ELA-672-1
Debian Bugs1009676

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grunt (PTS)stretch (security)1.0.1-5+deb9u1vulnerable
stretch (lts), stretch1.0.1-5+deb9u2fixed
buster1.0.1-8+deb10u1vulnerable
buster (security)1.0.1-8+deb10u3fixed
bullseye1.3.0-1+deb11u2fixed
bookworm1.5.3-2fixed
sid, trixie1.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gruntsourceexperimental1.5.2-1
gruntsourcestretch1.0.1-5+deb9u2ELA-672-1
gruntsourcebuster1.0.1-8+deb10u3DLA-3386-1
gruntsourcebullseye1.3.0-1+deb11u1
gruntsource(unstable)1.5.2-21009676

Notes

[stretch] - grunt <no-dsa> (Minor issue)
https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)
https://github.com/gruntjs/grunt/pull/1740
https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b

Search for package or bug name: Reporting problems