GHSA-2fc9-xpp8-2g9h

Suggest an improvement
Source
https://github.com/advisories/GHSA-2fc9-xpp8-2g9h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2fc9-xpp8-2g9h/GHSA-2fc9-xpp8-2g9h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2fc9-xpp8-2g9h
Aliases
Related
Published
2024-02-23T18:02:08Z
Modified
2024-02-23T19:43:19Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
`@backstage/backend-common` vulnerable to path traversal through symlinks
Details

Impact

Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

Patches

Patched in @backstage/backend-common version 0.21.1. Patched in @backstage/backend-common version 0.20.2. Patched in @backstage/backend-common version 0.19.10.

For more information

If you have any questions or comments about this advisory:

Database specific 
{
    "nvd_published_at": "2024-02-23T16:15:48Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-23T18:02:08Z"
}
References

Affected packages

npm / @backstage/backend-common

Package

Name
@backstage/backend-common
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/backend-common

Affected ranges

Type
SEMVER
Events
Introduced
0.21.0
Fixed
0.21.1

Affected versions

0.*

0.21.0

npm / @backstage/backend-common

Package

Name
@backstage/backend-common
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/backend-common

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.19.10

npm / @backstage/backend-common

Package

Name
@backstage/backend-common
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/backend-common

Affected ranges

Type
SEMVER
Events
Introduced
0.20.0
Fixed
0.20.2