CVE-2024-26150

Summary

@backstage/backend-common is a common functionality library for backends for Backstage, an open platform for building developer portals. In @backstage/backend-common prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in @backstage/backend-common versions 0.21.1, 0.20.2, and 0.19.10.

Affected Software

VendorProductVersion RangeStatus
backstagebackstage= 0.21.0affected
backstagebackstage< 0.19.10affected
backstagebackstage>= 0.20.0, < 0.20.2affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References