Описание
@backstage/backend-common vulnerable to path traversal through symlinks
Impact
Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.
Patches
Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our Discord, linked to in Backstage README
Ссылки
- https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
- https://nvd.nist.gov/vuln/detail/CVE-2024-26150
- https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
- https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
- https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
Пакеты
@backstage/backend-common
= 0.21.0
0.21.1
@backstage/backend-common
< 0.19.10
0.19.10
@backstage/backend-common
>= 0.20.0, < 0.20.2
0.20.2
Связанные уязвимости
`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.
`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.