Skip to content

BAU-3072 : Arbitrary Code Execution in grunt on angularjs-dropdown-multiselect #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

BAU-3072 : Arbitrary Code Execution in grunt on angularjs-dropdown-multiselect #6

wants to merge 1 commit into from

Conversation

@suraj-ubif
Copy link

@suraj-ubif suraj-ubif commented Jun 3, 2025
edited
Loading

Fix security issue UID:[464a445605c570ba4e60c5bb59912b79] - Arbitrary Code Execution in grunt on angularjs-dropdown-multiselect

Technical Details
Type: Arbitrary Code Execution in grunt
Target: angularjs-dropdown-multiselect

Vulnerability Details
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

@suraj-ubif suraj-ubif self-assigned this Jun 3, 2025
@suraj-ubif suraj-ubif changed the title BAU-3072 : Arbitrary Code Execution in grunt on angularjs-dropdown-mult… BAU-3072 : Arbitrary Code Execution in grunt on angularjs-dropdown-multiselect Jun 3, 2025
santosh-garudi
santosh-garudi approved these changes Jun 4, 2025
View reviewed changes
Copy link

@santosh-garudi santosh-garudi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@suraj-ubif suraj-ubif requested a review from ketvekariya June 4, 2025 11:45
@asurionsudarshanphule
Copy link

Can you confirm dev testing results for successful dev and prod builds after this change.

Also look for usage of this package in application and do spot checks and testing.

@asurionsudarshanphule
Copy link

@suraj-ubif Please confirm dev testing results and we can merge this.

@bakihanma20 bakihanma20 self-requested a review June 5, 2025 14:38
@bakihanma20
Copy link

@suraj-ubif did we spot check the front end for this. This is a big version jump.

@suraj-ubif
Copy link
Author

@suraj-ubif did we spot check the front end for this. This is a big version jump.

@bakihanma20 We are facing some testing challenges, As i discussed with braedon, we are holding this for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s-calderon s-calderon s-calderon approved these changes

@asurionsudarshanphule asurionsudarshanphule asurionsudarshanphule approved these changes

@rahulagarwal11 rahulagarwal11 rahulagarwal11 approved these changes

@bakihanma20 bakihanma20 bakihanma20 approved these changes

@santosh-garudi santosh-garudi santosh-garudi approved these changes

@spjahagirdar spjahagirdar Awaiting requested review from spjahagirdar

@asurion-smehta asurion-smehta Awaiting requested review from asurion-smehta

@sushanttayade sushanttayade Awaiting requested review from sushanttayade

@ketvekariya ketvekariya Awaiting requested review from ketvekariya

@rahul-asurion rahul-asurion Awaiting requested review from rahul-asurion

@harsh-mehta-asurion harsh-mehta-asurion Awaiting requested review from harsh-mehta-asurion

Assignees

@suraj-ubif suraj-ubif

Labels

Do Not Merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@suraj-ubif @asurionsudarshanphule @bakihanma20 @s-calderon @rahulagarwal11 @santosh-garudi