Hi,
there are two issues highlighted by GitHub's dependabot:
Race condition in Grunt
Path Traversal in Grunt
Suggested fix:
Update grunt to 1.5.3 -> Grunt prior to version 1.5.2 is vulnerable to path traversal.
from GitHub's dependabot:
Upgrade grunt to fix 2 Dependabot alerts in static/grappelli/jquery/ui/package.json
Description:
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Hi, there are two issues highlighted by GitHub's dependabot:
Suggested fix: Update grunt to 1.5.3 -> Grunt prior to version 1.5.2 is vulnerable to path traversal.
from GitHub's dependabot: Upgrade grunt to fix 2 Dependabot alerts in static/grappelli/jquery/ui/package.json
Description: file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.