3 matches found
@adamlonsdale/backstage-plugin-armorcode-backend (>=0.0.1-alpha <=0.0.4), @austin-garrard/backstage-plugin-backend (>=0.0.1 <=0.0.1-alpha.22) +188 more potentially affected by CVE-2024-26150 via @backstage/backend-common (>=0.0.0-nightly-20220708025041 <=0.17.0)
@backstage/backend-common NPM version =0.0.0-nightly-20220708025041, =0.0.1-alpha, =0.0.1, =0.0.1, =0.1.0, =0.0.0-nightly-20220709024234, =0.0.0-nightly-20220811024336, =0.0.0-nightly-20240116021644, =0.0.0-nightly-20220709024234, =0.0.0-nightly-2022042277, =0.0.0-nightly-20216821837,...
CVE-2024-26150
creationtimestamp| type| source ---|---|--- 2024-02-23 17:26:41+00:00| seen| https://t.me/ctinow/191947 2024-02-23 17:26:50+00:00| seen| https://t.me/ctinow/191956...
CVE-2024-26150
CVE-2024-26150 affects @backstage/backend-common prior to versions 0.21.1, 0.20.2, and 0.19.10, where path checks in resolveSafeChildPath were not exhaustive, enabling potential path traversal if symlinks are injected. The issue is publicly documented across multiple sources (NVD, GHSA advisory, ...