PT-2024-21301 · Npm · @Backstage/Backend-Common
Benjdlambert
·
Published
2024-02-23
·
Updated
2024-02-27
·
CVE-2024-26150
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
@backstage/backend-common versions prior to 0.21.1
@backstage/backend-common versions prior to 0.20.2
@backstage/backend-common versions prior to 0.19.10
Description
The issue concerns the
@backstage/backend-common library, where paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to a risk of path traversal vulnerabilities if symlinks can be injected by attackers.Recommendations
For versions prior to 0.21.1, update to version 0.21.1 or later.
For versions prior to 0.20.2, update to version 0.20.2 or later.
For versions prior to 0.19.10, update to version 0.19.10 or later.
As a temporary workaround, consider restricting the use of the
resolveSafeChildPath utility until a patch is applied.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Backstage/Backend-Common