CVE-2024-45815

2024-09-1721:15:12

CWE-1321

GitHub_M

web.nvd.nist.gov

backstage

framework

vulnerability

fix

upgrade

authenticated access

catalog backend plugin

interrupt service

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.6%

JSON

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Node

backstagebackstageRange<1.26.0

VendorProductVersionCPE
backstagebackstage*cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
backstage	backstage	*	cpe:2.3:a:backstage:backstage::::::::

CNA Affected

[
  {
    "vendor": "backstage",
    "product": "backstage",
    "versions": [
      {
        "version": "< 1.26.0",
        "status": "affected"
      }
    ]
  }
]