Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yZmM5LXhwcDgtMmc5aM4AA5ef

`@backstage/backend-common` vulnerable to path traversal through symlinks

Impact

Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

Patches

Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-2fc9-xpp8-2g9h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZmM5LXhwcDgtMmc5aM4AA5ef
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago


CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Identifiers: GHSA-2fc9-xpp8-2g9h, CVE-2024-26150
References: Repository: https://github.com/backstage/backstage
Blast Radius: 23.3

Affected Packages

npm:@backstage/backend-common
Dependent packages: 328
Dependent repositories: 472
Downloads: 561,921 last month
Affected Version Ranges: >= 0.20.0, < 0.20.2, < 0.19.10, = 0.21.0
Fixed in: 0.20.2, 0.19.10, 0.21.1
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.19.9, 0.20.0, 0.20.1, 0.21.0
All unaffected versions: 0.19.10, 0.20.2, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.21.6, 0.21.7, 0.22.0