CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
Paths checks with the resolveSafeChildPath
utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.
Patched in @backstage/backend-common
version 0.21.1
.
Patched in @backstage/backend-common
version 0.20.2
.
Patched in @backstage/backend-common
version 0.19.10
.
If you have any questions or comments about this advisory:
github.com/backstage/backstage
github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
nvd.nist.gov/vuln/detail/CVE-2024-26150
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%