Name of the Vulnerable Software and Affected Versions @backstage/plugin-techdocs-node versions prior to 1.1.2

Description A malicious actor with the ability to register entities in the Software Catalog can write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local. This issue is mitigated by the requirement for non-standard field format validators and/or non-standard entity policies in the Software Catalog.

Recommendations For versions prior to 1.1.2, upgrade to version 1.1.2 or higher. As a temporary workaround, update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing ..