Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13N2ZqLTMzNnItdnc0Oc0YPw
Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend
Impact
This vulnerability allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities.
Patches
This is vulnerability is patched in version 0.4.9 of @backstage/plugin-auth-backend.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our chat, linked to in Backstage README
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N2ZqLTMzNnItdnc0Oc0YPw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-w7fj-336r-vw49, CVE-2021-43776
References:
- https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49
- https://nvd.nist.gov/vuln/detail/CVE-2021-43776
- https://github.com/backstage/backstage/tree/master/plugins/auth-backend
- https://github.com/advisories/GHSA-w7fj-336r-vw49
Blast Radius: 18.3
Affected Packages
npm:@backstage/plugin-auth-backend
Dependent packages: 14Dependent repositories: 293
Downloads: 185,834 last month
Affected Version Ranges: < 0.4.9
Fixed in: 0.4.9
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.3.20, 0.3.21, 0.3.22, 0.3.23, 0.3.24, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8
All unaffected versions: 0.4.9, 0.4.10, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.18.6, 0.18.7, 0.18.8, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4