MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBnZjgtMjhnZy12cHI2

Moderate EPSS: 0.00484% (0.64514 Percentile) EPSS:

Permalink JSON

Path traversal

Affected Packages	Affected Versions	Fixed Versions
npm:@backstage/techdocs-common PURL: `pkg:npm/%40backstage%2Ftechdocs-common`	< 0.6.3	0.6.3
4 Dependent packages 79 Dependent repositories 2,168 Downloads last month Affected Version Ranges All affected versions 0.0.0-nightly-2021016359, 0.0.0-nightly-2021017367, 0.0.0-nightly-2021022423, 0.0.0-nightly-2021032473, 0.0.0-nightly-2021042480, 0.0.0-nightly-2021112332, 0.0.0-nightly-2021242250, 0.0.0-nightly-2021252249, 0.0.0-nightly-2021442275, 0.0.0-nightly-2021523614, 0.0.0-nightly-2021533445, 0.0.0-nightly-2021612205, 0.0.0-nightly-2021812202, 0.0.0-nightly-2021972229, 0.0.0-nightly-20210124517, 0.0.0-nightly-20210133124, 0.0.0-nightly-20210143754, 0.0.0-nightly-20210183538, 0.0.0-nightly-20210193842, 0.0.0-nightly-20210203828, 0.0.0-nightly-20210262290, 0.0.0-nightly-20210272305, 0.0.0-nightly-20210524859, 0.0.0-nightly-20210625032, 0.0.0-nightly-20210725232, 0.0.0-nightly-20211022229, 0.0.0-nightly-20211072262, 0.0.0-nightly-20211223141, 0.0.0-nightly-20211282237, 0.0.0-nightly-20211322526, 0.0.0-nightly-20212122546, 0.0.0-nightly-20212152292, 0.0.0-nightly-20212221248, 0.0.0-nightly-20212322253, 0.0.0-nightly-20212622340, 0.0.0-nightly-20212722653, 0.0.0-nightly-20212822648, 0.0.0-nightly-20212922838, 0.0.0-nightly-20214122931, 0.0.0-nightly-20214223124, 0.0.0-nightly-20214322935, 0.0.0-nightly-20214522419, 0.0.0-nightly-20214622436, 0.0.0-nightly-20215923438, 0.0.0-nightly-20216321437, 0.0.0-nightly-20216421633, 0.0.0-nightly-20216521717, 0.0.0-nightly-20216621753, 0.0.0-nightly-20216721750, 0.0.0-nightly-20216821837, 0.0.0-nightly-20217122173, 0.0.0-nightly-20217282182, 0.0.0-nightly-20217421937, 0.0.0-nightly-20217521743, 0.0.0-nightly-20218132205, 0.0.0-nightly-20218142218, 0.0.0-nightly-20218221816, 0.0.0-nightly-20219622210, 0.0.0-nightly-20220623347, 0.0.0-nightly-20220723117, 0.0.0-nightly-20220823130, 0.0.0-nightly-20220923026, 0.0.0-nightly-202011132190, 0.0.0-nightly-202011142218, 0.0.0-nightly-202011152214, 0.0.0-nightly-202011172224, 0.0.0-nightly-202101225949, 0.0.0-nightly-202102131012, 0.0.0-nightly-202102822956, 0.0.0-nightly-202103023316, 0.0.0-nightly-202103123135, 0.0.0-nightly-202110122318, 0.0.0-nightly-202110152240, 0.0.0-nightly-202110162216, 0.0.0-nightly-202110322147, 0.0.0-nightly-202110422117, 0.0.0-nightly-202110522059, 0.0.0-nightly-202110622114, 0.0.0-nightly-202110822217, 0.0.0-nightly-202110922220, 0.0.0-nightly-202111121833, 0.0.0-nightly-202111222339, 0.0.0-nightly-202111282332, 0.0.0-nightly-202111321628, 0.0.0-nightly-202111421743, 0.0.0-nightly-202111521822, 0.0.0-nightly-202111621648, 0.0.0-nightly-202111721417, 0.0.0-nightly-202111722620, 0.0.0-nightly-202111821617, 0.0.0-nightly-202111822629, 0.0.0-nightly-202111922557, 0.0.0-nightly-202112021940, 0.0.0-nightly-202112121915, 0.0.0-nightly-202112222022, 0.0.0-nightly-202112321938, 0.0.0-nightly-202112721938, 0.0.0-nightly-202121022744, 0.0.0-nightly-202121122711, 0.0.0-nightly-202121222849, 0.0.0-nightly-202121322742, 0.0.0-nightly-202121422829, 0.0.0-nightly-202121622848, 0.0.0-nightly-202121722854, 0.0.0-nightly-202121823014, 0.0.0-nightly-202132722814, 0.0.0-nightly-202132822813, 0.0.0-nightly-202132922620, 0.0.0-nightly-202141122958, 0.0.0-nightly-202141223240, 0.0.0-nightly-202141823433, 0.0.0-nightly-202141923045, 0.0.0-nightly-202142023115, 0.0.0-nightly-202142725110, 0.0.0-nightly-202151023138, 0.0.0-nightly-202152921754, 0.0.0-nightly-202153022114, 0.0.0-nightly-202161321735, 0.0.0-nightly-202161421532, 0.0.0-nightly-202161521855, 0.0.0-nightly-202162022152, 0.0.0-nightly-202162122152, 0.0.0-nightly-202162222215, 0.0.0-nightly-202162921842, 0.0.0-nightly-202171121715, 0.0.0-nightly-202172621715, 0.0.0-nightly-202172721953, 0.0.0-nightly-202172921910, 0.0.0-nightly-202173021720, 0.0.0-nightly-202173121752, 0.0.0-nightly-202181122031, 0.0.0-nightly-202181221950, 0.0.0-nightly-202181521952, 0.0.0-nightly-202181622118, 0.0.0-nightly-202183022336, 0.0.0-nightly-202191622432, 0.0.0-nightly-202191722049, 0.0.0-nightly-202191822546, 0.0.0-nightly-202191922036, 0.0.0-nightly-202192022219, 0.0.0-nightly-202192122645, 0.0.0-nightly-202192621851, 0.0.0-nightly-202192722215, 0.0.0-nightly-202192822050, 0.0.0-nightly-202193022211, 0.0.0-nightly-202193122459, 0.0.0-nightly-202201122931, 0.0.0-nightly-202201323044, 0.0.0-nightly-202201921950, 0.0.0-nightly-202202022734, 0.0.0-nightly-2020111622153, 0.0.0-nightly-2020112223434, 0.0.0-nightly-2020112923923, 0.0.0-nightly-2020113023951, 0.0.0-nightly-2020113124333, 0.0.0-nightly-2021101022158, 0.0.0-nightly-2021101122259, 0.0.0-nightly-2021101222132, 0.0.0-nightly-2021101322257, 0.0.0-nightly-2021101422237, 0.0.0-nightly-2021101722431, 0.0.0-nightly-2021102322318, 0.0.0-nightly-2021102422528, 0.0.0-nightly-2021102522541, 0.0.0-nightly-2021112322755, 0.0.0-nightly-2021112422718, 0.0.0-nightly-2021112522918, 0.0.0-nightly-2021112622820, 0.0.0-nightly-2021112723138, 0.0.0-nightly-2021112922954, 0.0.0-nightly-2021113022546, 0.0.0-nightly-20220203021748, 0.0.0-nightly-20220209022121, 0.0.0-nightly-20220210021913, 0.0.0-nightly-20220212022325, 0.0.0-nightly-20220213022110, 0.0.0-nightly-20220214021635, 0.0.0-nightly-20220215022550, 0.0.0-nightly-20220216022224, 0.0.0-nightly-20220217022146, 0.0.0-nightly-20220218022735, 0.0.0-nightly-20220219022334, 0.0.0-nightly-20220220022427, 0.0.0-nightly-20220221022454, 0.0.0-nightly-20220222022224, 0.0.0-nightly-20220223022848, 0.0.0-nightly-20220224022833, 0.0.0-nightly-20220227022529, 0.0.0-nightly-20220228022605, 0.0.0-nightly-20220301023335, 0.0.0-nightly-20220302023312, 0.0.0-nightly-20220303023541, 0.0.0-nightly-20220305022735, 0.0.0-nightly-20220306022754, 0.0.0-nightly-20220307022304, 0.0.0-nightly-20220308022132, 0.0.0-nightly-20220309022441, 0.0.0-nightly-20220310022859, 0.0.0-nightly-20220315022536, 0.0.0-nightly-20220316022902, 0.0.0-nightly-20220317022557, 0.0.0-nightly-20220323023253, 0.0.0-nightly-20220324023116, 0.0.0-nightly-20220325022909, 0.0.0-nightly-20220326022848, 0.0.0-nightly-20220327022954, 0.0.0-nightly-20220328023349, 0.0.0-nightly-20220329023345, 0.0.0-nightly-20220330023352, 0.0.0-nightly-20220331023254, 0.0.0-nightly-20220401024216, 0.0.0-nightly-20220402023243, 0.0.0-nightly-20220403023234, 0.0.0-nightly-20220404023441, 0.0.0-nightly-20220405023238, 0.0.0-nightly-20220406023303, 0.0.0-nightly-20220407023218, 0.0.0-nightly-20220408023622, 0.0.0-nightly-20220409023050, 0.0.0-nightly-20220410023309, 0.0.0-nightly-20220411023616, 0.0.0-nightly-20220412023410, 0.0.0-nightly-20220413023505, 0.0.0-nightly-20220414023749, 0.0.0-nightly-20220415024634, 0.0.0-nightly-20220416023406, 0.0.0-nightly-20220417023605, 0.0.0-nightly-20220418024512, 0.0.0-nightly-20220419024359, 0.0.0-nightly-20220426024700, 0.0.0-nightly-20220427024951, 0.0.0-nightly-20220428025925, 0.0.0-nightly-20220429024638, 0.0.0-nightly-20220430024336, 0.0.0-nightly-20220501025208, 0.0.0-nightly-20220502025029, 0.0.0-nightly-20220503024657, 0.0.0-nightly-20220504024625, 0.0.0-nightly-20220505023756, 0.0.0-nightly-20220506023454, 0.0.0-nightly-20220507023751, 0.0.0-nightly-20220508024231, 0.0.0-nightly-20220509024521, 0.0.0-nightly-20220510022953, 0.0.0-nightly-20220511024315, 0.0.0-nightly-20220512024113, 0.0.0-nightly-20220513024945, 0.0.0-nightly-20220514025553, 0.0.0-nightly-20220515024439, 0.0.0-nightly-20220516023848, 0.0.0-nightly-20220517024505, 0.0.0-nightly-20220525024352, 0.0.0-nightly-20220526024803, 0.0.0-nightly-20220527024541, 0.0.0-nightly-20220528023512, 0.0.0-nightly-20220529024825, 0.0.0-nightly-20220530025009, 0.0.0-nightly-20220531024457, 0.0.0-nightly-20220601025619, 0.0.0-nightly-20220602024936, 0.0.0-nightly-20220603023939, 0.0.0-nightly-20220604023645, 0.0.0-nightly-20220605024123, 0.0.0-nightly-20220606024253, 0.0.0-nightly-20220607024221, 0.0.0-nightly-20220608024714, 0.0.0-nightly-20220609024358, 0.0.0-nightly-20220610024824, 0.0.0-nightly-20220611024121, 0.0.0-nightly-20220612024701, 0.0.0-nightly-20220613024651, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2 All unaffected versions 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15

Impact

A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docs_dir in mkdocs.yml. These files would then be available over the TechDocs backend API.

This vulnerability is mitigated by the fact that an attacker would need access to modify the mkdocs.yml in the documentation source code, and would also need access to the TechDocs backend API.

Patches

The vulnerability is patched in the 0.6.3 release of @backstage/techdocs-common.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our chat, linked to in Backstage README

References:

Identifiers

GHSA-pgf8-28gg-vpr6

CVE-2021-32662

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00484

EPSS Percentile: 0.64514

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/backstage/backstage

Date and time

Published

over 4 years ago

Updated

about 5 hours ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories