Malicious code in techdocs-cli-embedded-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b6523ca476cc6b141bf6eb3cc01162248af09aeb7f527940ba0927c5961fbf35 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6445 Malicious code in techdocs-cli-embedded-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b6523ca476cc6b141bf6eb3cc01162248af09aeb7f527940ba0927c5961fbf35 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@backstage/plugin-techdocs (>=0.0.0-nightly-2021242250 <=0.0.0-nightly-2020112923923), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-2021112332 <=0.14.1) +1 more potentially affected by unknown CVE via @backstage/techdocs-common (>=0.0.0-nightly-20220923026 <=0.11.15)

@backstage/techdocs-common NPM version =0.0.0-nightly-20220923026, =0.0.0-nightly-2021242250, =0.0.0-nightly-2021112332, =0.0.0-nightly-2022122206, =0.8.16 Source cves: unknown CVE Source advisory: OSV:GHSA-4JQC-JVH2-PXG9...

GHSA-4JQC-JVH2-PXG9 Path traversal for local publishers in TechDocs backend

Impact A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local. This vulnerability is mitigated by the fact that the Software Catalog must be...

Path traversal for local publishers in TechDocs backend

Impact A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local. This vulnerability is mitigated by the fact that the Software Catalog must be...

@backstage-community/plugin-techdocs-backend-module-confluence (>=0.2.0 <=0.2.1), @backstage/plugin-search-backend-module-techdocs (>=0.0.0-nightly-20230323021924 <=0.4.14-next.1) +12 more potentially affected by unknown CVE via @backstage/plugin-techdocs-node (>=0.0.0-nightly-20220315022536 <=1.1.2-next.2)

@backstage/plugin-techdocs-node NPM version =0.0.0-nightly-20220315022536, =0.2.0, =0.0.0-nightly-20230323021924, =0.0.0-nightly-202111212297, =0.0.0-nightly-20220305022735, =1.0.0, =1.6.0, =0.0.4, =1.9.1, =1.0.1, =1.0.1, =0.0.0-nightly-2022122206, =0.1.5, =0.1.2, =1.1.0 Source cves: unknown CVE...

Welcome to Akamai TechDocs

We're pleased to announce the launch of Akamai’s brand-new documentation site: techdocs.akamai.com. Powered by ReadMe, our new site offers intuitive and interactive content designed to help you get the most out of your Akamai products...

Directory Traversal

@backstage/techdocs-common is vulnerable to directory traversal. An attacker can read arbitrary system files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml...

@backstage/plugin-catalog (>=0.0.0-nightly-202011242419 <=0.2.9), @backstage/plugin-techdocs (>=0.0.0-nightly-2021242250 <=0.7.0) +2 more potentially affected by CVE-2021-32660 via @backstage/techdocs-common (>=0.0.0-nightly-20220923026 <=0.5.1)

@backstage/techdocs-common NPM version =0.0.0-nightly-20220923026, =0.0.0-nightly-202011242419, =0.0.0-nightly-2021242250, =0.0.0-nightly-2021112332, =0.0.0-nightly-2022122206, =0.8.16 Source cves: CVE-2021-32660 Source advisory: OSV:GHSA-PWHF-39XG-4RXW...

Script injection

Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...

GHSA-PWHF-39XG-4RXW Script injection

Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...

GHSA-GG96-F8WR-P89F Script injection

Impact A malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limite...

@backstage/plugin-api-docs (>=0.1.1 <=0.1.1-alpha.26), @backstage/plugin-catalog (>=0.0.0-nightly-2020972106 <=0.2.9) +20 more potentially affected by CVE-2021-32661 via @backstage/plugin-techdocs (>=0.0.0-nightly-20220708025041 <=0.5.8)

@backstage/plugin-techdocs NPM version =0.0.0-nightly-20220708025041, =0.1.1, =0.0.0-nightly-2020972106, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.1-alpha.19, =0.0.0-nightly-20220504024625, =0.1.2, =0.1.3 - @roadiehq/backstage-plugin-buildkite =0.1.0 and more Source cve...

Script injection

Impact A malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limite...

Path traversal

Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...

@backstage/plugin-catalog (>=0.0.0-nightly-202011242419 <=0.2.9), @backstage/plugin-techdocs (>=0.0.0-nightly-2021242250 <=0.7.0) +2 more potentially affected by CVE-2021-32662 via @backstage/techdocs-common (>=0.0.0-nightly-20220923026 <=0.5.1)

@backstage/techdocs-common NPM version =0.0.0-nightly-20220923026, =0.0.0-nightly-202011242419, =0.0.0-nightly-2021242250, =0.0.0-nightly-2021112332, =0.0.0-nightly-2022122206, =0.8.16 Source cves: CVE-2021-32662 Source advisory: OSV:GHSA-PGF8-28GG-VPR6...

GHSA-PGF8-28GG-VPR6 Path traversal

Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...

Information Disclosure

@backstage/techdocs-common is vulnerable to information disclosure. An attacker is able bypass sanitization by uploading documentation content with malicious scripts that would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the...

CVE-2021-32662

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In @backstage/techdocs-common versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is buil...

CVE-2021-32662

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In @backstage/techdocs-common versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is buil...