Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00anFjLWp2aDItcHhnOc4AArtF
Path traversal for local publishers in TechDocs backend
Impact
A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.
This vulnerability is mitigated by the fact that the Software Catalog must be configured with non-standard field format validators and/or non-standard entity policies.
Patches
Those affected are advised to upgrade to @backstage/plugin-techdocs-node version 1.1.2 or higher.
Workarounds
If patching or upgrading is not possible, it would be sufficient to update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing ..
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our chat, linked to in the Backstage README
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00anFjLWp2aDItcHhnOc4AArtF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-4jqc-jvh2-pxg9
References:
- https://github.com/backstage/backstage/security/advisories/GHSA-4jqc-jvh2-pxg9
- https://github.com/backstage/backstage/commit/429c9f9daa5654dd1b996aa85f7264eb23a2e4fa
- https://github.com/advisories/GHSA-4jqc-jvh2-pxg9
Blast Radius: 0.0
Affected Packages
npm:@backstage/techdocs-common
Dependent packages: 4Dependent repositories: 79
Downloads: 3,917 last month
Affected Version Ranges: < 0.11.16
Fixed in: 0.11.16
All affected versions: 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15
All unaffected versions:
npm:@backstage/plugin-techdocs-node
Dependent packages: 6Dependent repositories: 350
Downloads: 442,106 last month
Affected Version Ranges: < 1.1.2
Fixed in: 1.1.2
All affected versions: 0.11.12, 1.0.0, 1.1.0, 1.1.1
All unaffected versions: 1.1.2, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.12.0, 1.12.1, 1.12.2, 1.12.3