PT-2021-19840 · Unknown · @Backstage/Techdocs-Common

Rugvip

Published

2021-06-03

Updated

2021-06-21

CVE-2021-32662

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @backstage/techdocs-common versions prior to 0.6.3

Description A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docs dir in mkdocs.yml. These files would then be available over the TechDocs backend API. This issue is mitigated by the fact that an attacker would need access to modify the mkdocs.yml in the documentation source code, and would also need access to the TechDocs backend API.

Recommendations For versions prior to 0.6.3, update to the 0.6.3 release of @backstage/techdocs-common to patch the vulnerability. As a temporary workaround, consider restricting access to the TechDocs backend API and limiting the ability to modify the mkdocs.yml file in the documentation source code.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-32662

GHSA-PGF8-28GG-VPR6

Affected Products

@Backstage/Techdocs-Common

PT-2021-19840 · Unknown · @Backstage/Techdocs-Common

CVE-2021-32662

Weakness Enumeration

Related Identifiers

Affected Products

References · 7