All the vulnerabilites related to backstage - backstage
cve-2021-41151
Vulnerability from cvelistv5
Published
2021-10-18 20:30
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Path Traversal in @backstage/plugin-scaffolder-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673 | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003e=0.9.4, \u003c 0.15.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a particular source path. When the template is executed the sensitive files would be included in the published pull request. This vulnerability is mitigated by the fact that an attacker would need access to create and register templates in the Backstage catalog, and that the attack is very visible given that the exfiltration happens via a pull request. The vulnerability is patched in the `0.15.9` release of `@backstage/plugin-scaffolder-backend`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T20:30:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006"
}
],
"source": {
"advisory": "GHSA-pvv8-8fx9-h673",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in @backstage/plugin-scaffolder-backend",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41151",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in @backstage/plugin-scaffolder-backend"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003e=0.9.4, \u003c 0.15.9"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a particular source path. When the template is executed the sensitive files would be included in the published pull request. This vulnerability is mitigated by the fact that an attacker would need access to create and register templates in the Backstage catalog, and that the attack is very visible given that the exfiltration happens via a pull request. The vulnerability is patched in the `0.15.9` release of `@backstage/plugin-scaffolder-backend`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673"
},
{
"name": "https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006"
}
]
},
"source": {
"advisory": "GHSA-pvv8-8fx9-h673",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41151",
"datePublished": "2021-10-18T20:30:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45815
Vulnerability from cvelistv5
Published
2024-09-17 20:14
Modified
2024-09-18 14:49
Severity ?
EPSS score ?
Summary
Prototype pollution in @backstage/plugin-catalog-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:49:00.159321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:49:10.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:14:31.104Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j"
}
],
"source": {
"advisory": "GHSA-3x3f-jcp3-g22j",
"discovery": "UNKNOWN"
},
"title": "Prototype pollution in @backstage/plugin-catalog-backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45815",
"datePublished": "2024-09-17T20:14:31.104Z",
"dateReserved": "2024-09-09T14:23:07.506Z",
"dateUpdated": "2024-09-18T14:49:10.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-53983
Vulnerability from cvelistv5
Published
2024-11-29 18:53
Modified
2024-12-02 22:16
Severity ?
EPSS score ?
Summary
Server-side request forgery in Backstage Scaffolder plugin
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9 | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/tree/master/plugins/scaffolder-node | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T22:15:55.540623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T22:16:09.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.12"
},
{
"status": "affected",
"version": "= 0.5.0"
},
{
"status": "affected",
"version": "= 0.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin. The issue has been resolved in versions `v0.4.12`, `v0.5.1` and `v0.6.1` of the `@backstage/plugin-scaffolder-node` package. Users are encouraged to upgrade to this version to mitigate the vulnerability. Users are advised to upgrade. Users unable to upgrade may ensure that templates do not change git config."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T18:53:13.289Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9"
},
{
"name": "https://github.com/backstage/backstage/tree/master/plugins/scaffolder-node",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/tree/master/plugins/scaffolder-node"
}
],
"source": {
"advisory": "GHSA-qmc2-jpr5-7rg9",
"discovery": "UNKNOWN"
},
"title": "Server-side request forgery in Backstage Scaffolder plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53983",
"datePublished": "2024-11-29T18:53:13.289Z",
"dateReserved": "2024-11-25T23:14:36.380Z",
"dateUpdated": "2024-12-02T22:16:09.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47762
Vulnerability from cvelistv5
Published
2024-10-03 17:14
Modified
2024-10-03 17:40
Severity ?
EPSS score ?
Summary
Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"lessThan": "0.3.75",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T17:39:32.784567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:40:40.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.75"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:14:34.529Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"
},
{
"name": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f"
}
],
"source": {
"advisory": "GHSA-qc4v-xq2m-65wc",
"discovery": "UNKNOWN"
},
"title": "Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47762",
"datePublished": "2024-10-03T17:14:34.529Z",
"dateReserved": "2024-09-30T21:28:53.231Z",
"dateUpdated": "2024-10-03T17:40:40.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-32791
Vulnerability from cvelistv5
Published
2025-04-16 21:46
Modified
2025-04-17 13:11
Severity ?
EPSS score ?
Summary
Permission policy information leakage in Backstage permission system
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T13:11:00.498647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T13:11:08.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Backstage Scaffolder plugin houses types and utilities for building scaffolder-related modules. A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact. This issue has been patched in version 0.6.0 of the permissions backend. A workaround includes having administrators of the permission policies ensure that they are crafted in such a way that conditional decisions do not contain any sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-213",
"description": "CWE-213: Exposure of Sensitive Information Due to Incompatible Policies",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T21:46:23.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777"
}
],
"source": {
"advisory": "GHSA-f8j4-p5cr-p777",
"discovery": "UNKNOWN"
},
"title": "Permission policy information leakage in Backstage permission system"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32791",
"datePublished": "2025-04-16T21:46:23.659Z",
"dateReserved": "2025-04-10T12:51:12.281Z",
"dateUpdated": "2025-04-17T13:11:08.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32660
Vulnerability from cvelistv5
Published
2021-06-03 17:05
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
TechDocs content sanitization bypass
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-pwhf-39xg-4rxw | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c | x_refsource_MISC | |
| https://github.com/backstage/backstage/releases/tag/release-2021-06-03 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pwhf-39xg-4rxw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage\u0027s TechDocs. In versions of `@backstage/tehdocs-common` prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is hosted on the same origin as the Backstage app or other backend plugins, this may give access to sensitive data. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store. The vulnerability is patched in the `0.6.4` release of `@backstage/techdocs-common`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T17:05:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pwhf-39xg-4rxw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
}
],
"source": {
"advisory": "GHSA-pwhf-39xg-4rxw",
"discovery": "UNKNOWN"
},
"title": "TechDocs content sanitization bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32660",
"STATE": "PUBLIC",
"TITLE": "TechDocs content sanitization bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003c 0.6.4"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage\u0027s TechDocs. In versions of `@backstage/tehdocs-common` prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is hosted on the same origin as the Backstage app or other backend plugins, this may give access to sensitive data. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store. The vulnerability is patched in the `0.6.4` release of `@backstage/techdocs-common`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-pwhf-39xg-4rxw",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pwhf-39xg-4rxw"
},
{
"name": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"name": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
}
]
},
"source": {
"advisory": "GHSA-pwhf-39xg-4rxw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32660",
"datePublished": "2021-06-03T17:05:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-25571
Vulnerability from cvelistv5
Published
2023-02-14 17:00
Modified
2025-03-10 21:12
Severity ?
EPSS score ?
Summary
Backstage has XSS Vulnerability in Software Catalog
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-7hv8-3fr9-j2hv | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/3d1371954512f7fa8bd0e2d357e00eada2c3e8a8 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-7hv8-3fr9-j2hv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-7hv8-3fr9-j2hv"
},
{
"name": "https://github.com/backstage/backstage/commit/3d1371954512f7fa8bd0e2d357e00eada2c3e8a8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/3d1371954512f7fa8bd0e2d357e00eada2c3e8a8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25571",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:57:44.844140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:12:13.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
},
{
"status": "affected",
"version": "\u003c 0.12.4"
},
{
"status": "affected",
"version": "\u003c 1.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals. `@backstage/catalog-model` prior to version 1.2.0, `@backstage/core-components` prior to 0.12.4, and `@backstage/plugin-catalog-backend` prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack.\n\nThis vulnerability has been patched in both the frontend and backend implementations. The default `Link` component from `@backstage/core-components` version 1.2.0 and greater will now reject `javascript:` URLs, and there is a global override of `window.open` to do the same. In addition, the catalog model v0.12.4 and greater as well as the catalog backend v1.7.2 and greater now has additional validation built in that prevents `javascript:` URLs in known annotations. As a workaround, the general practice of limiting access to modifying catalog content and requiring code reviews greatly help mitigate this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-84",
"description": "CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T17:00:19.154Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-7hv8-3fr9-j2hv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-7hv8-3fr9-j2hv"
},
{
"name": "https://github.com/backstage/backstage/commit/3d1371954512f7fa8bd0e2d357e00eada2c3e8a8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/3d1371954512f7fa8bd0e2d357e00eada2c3e8a8"
}
],
"source": {
"advisory": "GHSA-7hv8-3fr9-j2hv",
"discovery": "UNKNOWN"
},
"title": "Backstage has XSS Vulnerability in Software Catalog"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25571",
"datePublished": "2023-02-14T17:00:19.154Z",
"dateReserved": "2023-02-07T17:10:00.739Z",
"dateUpdated": "2025-03-10T21:12:13.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35926
Vulnerability from cvelistv5
Published
2023-06-22 13:29
Modified
2024-12-05 17:48
Severity ?
EPSS score ?
Summary
Insecure sandbox in Backstage Scaffolder plugin
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a | x_refsource_MISC | |
| https://github.com/backstage/backstage/releases/tag/v1.15.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"
},
{
"name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"
},
{
"name": "https://github.com/backstage/backstage/releases/tag/v1.15.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T17:47:53.884189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:48:07.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T13:29:03.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"
},
{
"name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"
},
{
"name": "https://github.com/backstage/backstage/releases/tag/v1.15.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"
}
],
"source": {
"advisory": "GHSA-wg6p-jmpc-xjmr",
"discovery": "UNKNOWN"
},
"title": "Insecure sandbox in Backstage Scaffolder plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35926",
"datePublished": "2023-06-22T13:29:03.361Z",
"dateReserved": "2023-06-20T14:02:45.592Z",
"dateUpdated": "2024-12-05T17:48:07.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-46976
Vulnerability from cvelistv5
Published
2024-09-17 20:12
Modified
2024-09-18 13:47
Severity ?
EPSS score ?
Summary
Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T13:47:03.279646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T13:47:17.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim\u0027s browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:12:35.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685"
}
],
"source": {
"advisory": "GHSA-5j94-f3mf-8685",
"discovery": "UNKNOWN"
},
"title": "Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46976",
"datePublished": "2024-09-17T20:12:35.332Z",
"dateReserved": "2024-09-16T16:10:09.017Z",
"dateUpdated": "2024-09-18T13:47:17.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26150
Vulnerability from cvelistv5
Published
2024-02-23 15:46
Modified
2024-08-01 23:59
Severity ?
EPSS score ?
Summary
`@backstage/backend-common` vulnerable to path traversal through symlinks
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-23T22:34:48.476857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:21.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"
},
{
"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"
},
{
"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"
},
{
"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "= 0.21.0"
},
{
"status": "affected",
"version": "\u003c 0.19.10"
},
{
"status": "affected",
"version": "\u003e= 0.20.0, \u003c 0.20.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T15:46:35.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"
},
{
"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"
},
{
"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"
},
{
"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"
}
],
"source": {
"advisory": "GHSA-2fc9-xpp8-2g9h",
"discovery": "UNKNOWN"
},
"title": "`@backstage/backend-common` vulnerable to path traversal through symlinks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26150",
"datePublished": "2024-02-23T15:46:35.731Z",
"dateReserved": "2024-02-14T17:40:03.690Z",
"dateUpdated": "2024-08-01T23:59:32.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45816
Vulnerability from cvelistv5
Published
2024-09-17 20:13
Modified
2024-09-18 14:50
Severity ?
EPSS score ?
Summary
Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:50:10.374774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:50:20.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:13:29.331Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g"
}
],
"source": {
"advisory": "GHSA-39v3-f278-vj3g",
"discovery": "UNKNOWN"
},
"title": "Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45816",
"datePublished": "2024-09-17T20:13:29.331Z",
"dateReserved": "2024-09-09T14:23:07.506Z",
"dateUpdated": "2024-09-18T14:50:20.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43783
Vulnerability from cvelistv5
Published
2021-11-29 19:20
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
Path Traversal in @backstage/plugin-scaffolder-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents. This vulnerability is fixed in version `0.15.14` of the `@backstage/plugin-scaffolder-backend`. This attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-29T19:20:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f"
}
],
"source": {
"advisory": "GHSA-mg3m-f475-28hv",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in @backstage/plugin-scaffolder-backend",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43783",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in @backstage/plugin-scaffolder-backend"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003c 0.15.14"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents. This vulnerability is fixed in version `0.15.14` of the `@backstage/plugin-scaffolder-backend`. This attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv"
},
{
"name": "https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f"
}
]
},
"source": {
"advisory": "GHSA-mg3m-f475-28hv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43783",
"datePublished": "2021-11-29T19:20:09",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32661
Vulnerability from cvelistv5
Published
2021-06-03 17:25
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
TechDocs object element script injection
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c | x_refsource_MISC | |
| https://github.com/backstage/backstage/releases/tag/release-2021-06-03 | x_refsource_MISC | |
| https://github.com/backstage/backstage/security/advisories/GHSA-gg96-f8wr-p89f | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-gg96-f8wr-p89f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals. In versions of Backstage\u0027s Techdocs Plugin (`@backstage/plugin-techdocs`) prior to 0.9.5, a malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an `object` element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store. The vulnerability is patched in the `0.9.5` release of `@backstage/plugin-techdocs`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T17:25:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-gg96-f8wr-p89f"
}
],
"source": {
"advisory": "GHSA-gg96-f8wr-p89f",
"discovery": "UNKNOWN"
},
"title": "TechDocs object element script injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32661",
"STATE": "PUBLIC",
"TITLE": "TechDocs object element script injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003c 0.9.5"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Backstage is an open platform for building developer portals. In versions of Backstage\u0027s Techdocs Plugin (`@backstage/plugin-techdocs`) prior to 0.9.5, a malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an `object` element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store. The vulnerability is patched in the `0.9.5` release of `@backstage/plugin-techdocs`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c"
},
{
"name": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-06-03"
},
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-gg96-f8wr-p89f",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-gg96-f8wr-p89f"
}
]
},
"source": {
"advisory": "GHSA-gg96-f8wr-p89f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32661",
"datePublished": "2021-06-03T17:25:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32662
Vulnerability from cvelistv5
Published
2021-06-03 22:00
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
TechDocs mkdocs.yml path traversal
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6 | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208 | x_refsource_MISC | |
| https://github.com/backstage/backstage/releases/tag/release-2021-05-27 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-05-27"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage\u0027s TechDocs. In `@backstage/techdocs-common` versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T22:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-05-27"
}
],
"source": {
"advisory": "GHSA-pgf8-28gg-vpr6",
"discovery": "UNKNOWN"
},
"title": "TechDocs mkdocs.yml path traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32662",
"STATE": "PUBLIC",
"TITLE": "TechDocs mkdocs.yml path traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003c 0.6.3"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage\u0027s TechDocs. In `@backstage/techdocs-common` versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6"
},
{
"name": "https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208"
},
{
"name": "https://github.com/backstage/backstage/releases/tag/release-2021-05-27",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/releases/tag/release-2021-05-27"
}
]
},
"source": {
"advisory": "GHSA-pgf8-28gg-vpr6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32662",
"datePublished": "2021-06-03T22:00:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43776
Vulnerability from cvelistv5
Published
2021-11-26 18:15
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
XSS vulnerability in @backstage/plugin-auth-backend
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49 | x_refsource_CONFIRM | |
| https://github.com/backstage/backstage/tree/master/plugins/auth-backend | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/backstage/backstage/tree/master/plugins/auth-backend"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user\u0027s browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-26T18:15:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/backstage/backstage/tree/master/plugins/auth-backend"
}
],
"source": {
"advisory": "GHSA-w7fj-336r-vw49",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in @backstage/plugin-auth-backend",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43776",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in @backstage/plugin-auth-backend"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "backstage",
"version": {
"version_data": [
{
"version_value": "\u003c 0.4.9"
}
]
}
}
]
},
"vendor_name": "backstage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user\u0027s browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49",
"refsource": "CONFIRM",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49"
},
{
"name": "https://github.com/backstage/backstage/tree/master/plugins/auth-backend",
"refsource": "MISC",
"url": "https://github.com/backstage/backstage/tree/master/plugins/auth-backend"
}
]
},
"source": {
"advisory": "GHSA-w7fj-336r-vw49",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43776",
"datePublished": "2021-11-26T18:15:10",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}