Skip to content

`@backstage/backend-common` vulnerable to path traversal through symlinks

High severity GitHub Reviewed Published Feb 23, 2024 in backstage/backstage • Updated Feb 23, 2024

Package

npm @backstage/backend-common (npm)

Affected versions

= 0.21.0
< 0.19.10
>= 0.20.0, < 0.20.2

Patched versions

0.21.1
0.19.10
0.20.2

Description

Impact

Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

Patches

Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.

For more information

If you have any questions or comments about this advisory:

References

@benjdlambert benjdlambert published to backstage/backstage Feb 23, 2024
Published by the National Vulnerability Database Feb 23, 2024
Published to the GitHub Advisory Database Feb 23, 2024
Reviewed Feb 23, 2024
Last updated Feb 23, 2024

Severity

High
8.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2024-26150

GHSA ID

GHSA-2fc9-xpp8-2g9h

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.