Lucene search

GitHub_MCVELIST:CVE-2024-45815

HistorySep 17, 2024 - 8:14 p.m.

CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend

2024-09-1720:14:31

CWE-1321

GitHub_M

www.cve.org

cve-2024-45815

prototype pollution

backstage framework

developer portals

catalog backend plugin

authenticated access

service interruption

specially crafted query

catalog api

1.26.0 release

upgrade

vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.6%

JSON

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "backstage",
    "product": "backstage",
    "versions": [
      {
        "version": "< 1.26.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.6%

JSON

Related for CVELIST:CVE-2024-45815