Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yZmM5LXhwcDgtMmc5aM4AA5ef
`@backstage/backend-common` vulnerable to path traversal through symlinks
Impact
Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.
Patches
Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our Discord, linked to in Backstage README
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZmM5LXhwcDgtMmc5aM4AA5ef
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-2fc9-xpp8-2g9h, CVE-2024-26150
References:
- https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
- https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
- https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
- https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
- https://nvd.nist.gov/vuln/detail/CVE-2024-26150
- https://github.com/advisories/GHSA-2fc9-xpp8-2g9h
Blast Radius: 23.3
Affected Packages
npm:@backstage/backend-common
Dependent packages: 328Dependent repositories: 472
Downloads: 860,886 last month
Affected Version Ranges: >= 0.20.0, < 0.20.2, < 0.19.10, = 0.21.0
Fixed in: 0.20.2, 0.19.10, 0.21.1
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.19.9, 0.20.0, 0.20.1, 0.21.0
All unaffected versions: 0.19.10, 0.20.2, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.21.6, 0.21.7, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.24.0, 0.24.1, 0.25.0