Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

6 matches found

Veracode
Veracodeadded 2023/06/27 2:16 p.m.19 views

Arbitrary Code Injection

@backstage/plugin-scaffolder-backend is vulnerable to Arbitrary Code Injection. The vulnerability exists due to sandbox bypass in ScaffolderEntitiesProcessor.js, which allows an attacker with write access to a registered scaffolder template to inject code through the YAML template definition...

9.9CVSS7.1AI score0.01503EPSS
Exploits0References3Affected Software1
NVD
NVDadded 2023/06/22 2:15 p.m.25 views

CVE-2023-35926

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and...

9.9CVSS9AI score0.01503EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2021/12/01 6:29 p.m.14 views

RCE vulnerability affecting v1beta3 templates in @backstage/plugin-scaffolder-backend

The templating library used by the scaffolder backend assumes that templates are trusted which is an undesired property of the scaffolder-backend. This has now been mitigated by sandboxing the template code execution. Impact A malicious actor with write access to a registered scaffolder template...

1.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blogadded 2021/12/01 6:28 p.m.45 views

Path Traversal in @backstage/plugin-scaffolder-backend

Impact A malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a...

8.5CVSS2.3AI score0.01206EPSS
Exploits0References4Affected Software1
Cvelist
Cvelistadded 2021/11/29 7:20 p.m.14 views

CVE-2021-43783 Path Traversal in @backstage/plugin-scaffolder-backend

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend...

8.5CVSS8.5AI score0.01206EPSS
Exploits0References2
NVD
NVDadded 2021/10/18 9:15 p.m.12 views

CVE-2021-41151

Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a github:publish:pull-request action and a...

6.8CVSS0.01273EPSS
Exploits0References2
Rows per page
Query Builder