CVE-2024-47762 – Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
https://notcve.org/view.php?id=CVE-2024-47762
Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. • https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc • CWE-440: Expected Behavior Violation •
CVE-2024-45815 – Prototype pollution in @backstage/plugin-catalog-backend
https://notcve.org/view.php?id=CVE-2024-45815
Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2024-45816 – Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend
https://notcve.org/view.php?id=CVE-2024-45816
Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. • https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g • CWE-23: Relative Path Traversal •
CVE-2024-46976 – Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend
https://notcve.org/view.php?id=CVE-2024-46976
Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685 • CWE-693: Protection Mechanism Failure •
CVE-2024-26150 – `@backstage/backend-common` vulnerable to path traversal through symlinks
https://notcve.org/view.php?id=CVE-2024-26150
`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10. `@backstage/backend-common` es una librería de funcionalidad común para backends de Backstage, una plataforma abierta para crear portales de desarrolladores. En `@backstage/backend-common` anterior a las versiones 0.21.1, 0.20.2 y 0.19.10, las comprobaciones de rutas con la utilidad `resolveSafeChildPath` no eran lo suficientemente exhaustivas, lo que generaba riesgo de vulnerabilidades de path traversal si se podían inyectar enlaces simbólicos. por los atacantes. • https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717 https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871 https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •