CVE-2022-1537
TOCTOU Race Condition vulnerability in grunt (npm)
What is CVE-2022-1537 About?
This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition in file.copy operations within GruntJS prior to version 1.5.3, leading to arbitrary file write. It enables a lower-privileged user to escalate privileges to the GruntJS user by manipulating file paths. Exploitation requires specific timing and file system access by a malicious local user.
Affected Software
Technical Details
The vulnerability in GruntJS's file.copy operations (prior to 1.5.3) is a TOCTOU race condition. During a file copy operation, there's a time window between when the system checks a file's existence or permissions (Time-of-Check) and when it actually performs the copy (Time-of-Use). A lower-privileged attacker with write access to both the source and destination directories can exploit this by, for example, symlinking the destination path to a sensitive file (e.g., .bashrc of the GruntJS user or /etc/shadow) after the initial check but before the malicious content is written. This allows the attacker to achieve arbitrary file writes as the GruntJS user, potentially leading to local privilege escalation if the GruntJS user has elevated privileges (e.g., root).
What is the Impact of CVE-2022-1537?
Successful exploitation may allow attackers to achieve arbitrary file writes, overwrite critical system files, or inject malicious configurations, leading to local privilege escalation and full system compromise depending on the privileges of the affected user.
What is the Exploitability of CVE-2022-1537?
Exploitation of this TOCTOU race condition requires local access to the system and write permissions to both the source and destination directories involved in a file.copy operation by GruntJS. The complexity is moderate, requiring precise timing to execute a symbolic link or file replacement between the check and use phases. No authentication is required for the attacking user beyond basic system access. Privilege requirements involve a lower-privileged user needing local execution capability. This is a local access vulnerability. Special conditions include the ability to create symlinks and precisely time the attack. Risk factors increasing exploitation likelihood include shared development environments where multiple users can execute GruntJS tasks with elevated privileges, and poorly configured file permissions that grant write access to sensitive directories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1537?
Available Upgrade Options
- grunt
- <1.5.3 → Upgrade to 1.5.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
- https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
- https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html
- https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
- https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-1537
- https://osv.dev/vulnerability/GHSA-rm36-94g8-835r
- https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
- https://github.com/gruntjs/grunt
What are Similar Vulnerabilities to CVE-2022-1537?
Similar Vulnerabilities: CVE-2022-26390 , CVE-2021-42379 , CVE-2021-33758 , CVE-2020-10705 , CVE-2019-15891
