Lucene search

GitHub_MVULNRICHMENT:CVE-2024-45815

HistorySep 17, 2024 - 8:14 p.m.

CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend

2024-09-1720:14:31

CWE-1321

GitHub_M

github.com

cve-2024-45815

prototype pollution

backstage

plugin-catalog-backend

1.26.0

vulnerability

upgrade

api

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-45815