CVE-2021-43783

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-backend versions prior to 0.15.14

Description: A malicious actor with write access to a registered scaffolder template can manipulate the template to write files to arbitrary paths on the scaffolder-backend host instance. This issue can also be exploited through user input when executing a template, although this method does not allow control of the injected file's contents unless the template is specifically crafted to provide such control.

Recommendations: For versions prior to 0.15.14, update to version 0.15.14 to resolve the issue. As a temporary workaround, consider restricting access and requiring reviews when registering or modifying scaffolder templates to mitigate the attack.