GHSA-7hv8-3fr9-j2hv

Suggest an improvement
Source
https://github.com/advisories/GHSA-7hv8-3fr9-j2hv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-7hv8-3fr9-j2hv/GHSA-7hv8-3fr9-j2hv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7hv8-3fr9-j2hv
Aliases
Published
2023-02-14T21:35:10Z
Modified
2023-11-08T04:11:52.294748Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Cross site scripting Vulnerability in backstage Software Catalog
Details

Impact

This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack.

Patches

This vulnerability has been patched in both the frontend and backend implementations. The default Link component from @backstage/core-components will now reject javascript: URLs, and there is a global override of window.open to do the same.

In addition the catalog model as well as the catalog backend now has additional validation built in that prevents javascript: URLs in known annotations.

Workarounds

The general practice of limiting access to modifying catalog content and requiring code reviews greatly helps mitigate this vulnerability.

For more information

If you have any questions or comments about this advisory:

References

Affected packages

npm / @backstage/core-components

Package

Name
@backstage/core-components
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/core-components

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.4

npm / @backstage/catalog-model

Package

Name
@backstage/catalog-model
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/catalog-model

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.0

npm / @backstage/plugin-catalog-backend

Package

Name
@backstage/plugin-catalog-backend
View open source insights on deps.dev
Purl
pkg:npm/%40backstage/plugin-catalog-backend

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.2