CVE-2021-32662

Опубликовано: 03 июн. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 3.5

EPSS Низкий

Описание

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In @backstage/techdocs-common versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docs_dir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the mkdocs.yml in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the 0.6.3 release of @backstage/techdocs-common.

Ссылки

https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208
Patch
Third Party Advisory
https://github.com/backstage/backstage/releases/tag/release-2021-05-27
Release Notes
Third Party Advisory
https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6
Third Party Advisory
https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208
Patch
Third Party Advisory
https://github.com/backstage/backstage/releases/tag/release-2021-05-27
Release Notes
Third Party Advisory
https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*

Версия до 0.6.3 (исключая)

EPSS

Процентиль: 65%

0.00484

Низкий

6.5 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-pgf8-28gg-vpr6