Skip to content

Path traversal for local publishers in TechDocs backend

Moderate severity GitHub Reviewed Published Jun 14, 2022 in backstage/backstage • Updated Jan 12, 2023

Package

npm @backstage/plugin-techdocs-node (npm)

Affected versions

< 1.1.2

Patched versions

1.1.2
npm @backstage/techdocs-common (npm)
< 0.11.16
0.11.16

Description

Impact

A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.

This vulnerability is mitigated by the fact that the Software Catalog must be configured with non-standard field format validators and/or non-standard entity policies.

Patches

Those affected are advised to upgrade to @backstage/plugin-techdocs-node version 1.1.2 or higher.

Workarounds

If patching or upgrading is not possible, it would be sufficient to update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing ..

For more information

If you have any questions or comments about this advisory:

References

@Rugvip Rugvip published to backstage/backstage Jun 14, 2022
Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jan 12, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-4jqc-jvh2-pxg9

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.